Dears , I have a 2 tier application , web tier and application tier , the web trier servers are loadbalanced through F51 and the application tier servers are loadbalanced through F52 , so the user hit the VS in F51 which sends the traffic to one of the web servers , then the web server will initiate a request with its own ip to the VS in the F52 which sends the traffic to one of the application tier. now one of the user requirments is persitence , the problem is im seeing the request goes just to 3 of 22 application servers when i access through the web tier VS (f51 VS) , but the traffic loadbalanced to all the 22 when i access the applic tier vs directly (f52 vs)

You'd have to show us the config of the virtual servers, but have you got http and oneconnect enabled on the virtual server on F51?

If I understand you correctly, you have the following configuration: client - F5 - web tier - F5 - app tier And that these are separate physical F5s, and that you need to maintain some form of persistence at the app tier, correct? If so, the trick to this is to have something that permeates the first layer to reach the second. This could be something consistent in the payload from the web tier to the app tier (ex. a JSESSIONID), or you could potentially turn off SNAT on the external F5 and use client source address for persistence on the inner tier.

Perhaps if you can explain more, like what kind of persistence you are trying to use at each level, we could help more. Just note - if you want to use any L7 persistence like cookie, you must have http/oneconnect enabled.

@Kevin Stewart : you are right this is the scenario client - F5 - web tier - F5 - app tier I tried the cookie and src persistence in the applica layer with and without persistence in web layer I think we dont need to persist in web tier , but i tried it , the problem is in all the scenarios we hit the application through the web tier , the session drops while the user browsing the website , sometimes the user been drop while entering the login info and sometimes been droped when he enters the site and try do browse internal links

Persistence and loadbalancing

14 Replies

Kevin_Stewart
Employee
Nov 15, 2013
Then, if you need persistence to the app tier, source IP persistence (doesn't matter whether SNAT enabled or not) on the inside VIP will also work (but is not going to necessarily give you even load across the app tier).

How is using SNAT on the outside F5 going to give you any sort of reasonable persistence on the inside F5 if all requests are coming from the same IP address? Without SNAT, the client's true source should be available to the inside F5 for real persistence, arguably not perfect though.

If source address is not a stable value, and you can't do something like universal persistence (something in the payload), then really the only viable approach is cookies. You must not, however, use the default BIGipServer cookie on the internal F5 as that contains the encoded value of selected pool and node on one F5, and would not necessarily work for the other. Create a cookie persistence profile on the internal F5 that does not use the default BIGipServer name. Use regular (default) cookie persistence on the external F5. You should see both cookies at the client after the first response, and you should see the internal cookie reach the internal F5 and persist accordingly.
IheartF5_45022
Nacreous
Nov 17, 2013
How is using SNAT on the outside F5 going to give you any sort of reasonable persistence on the inside F5 if all requests are coming from the same IP address?

You should always use SNAT when oneconnect is enabled, as oneconnect can hide true source IP, and using a SNAT is a way of explicitly indicating that the source IP you are seeing is not 'real' (otherwise people who are trying to troubleshoot who don't know about oneconnect may think they are seeing the actual client source IP). The point I was trying to make above was that using SNAT or not makes no difference in this situation as...

Without SNAT, the client's true source should be available to the inside F5 for real persistence, arguably not perfect though.

The source IP seen by the inside 'app' tier will be the source IP of the 'web' tier, not the actual client IP. It's irrelevant whether SNAT is used on the web tier VIP or not.

Using source IP persistence on the inside tier (which will use the web tier IP) is not going to get a smooth load distribution, however it's about as good as you are going to get unless the web tier acts as a proxy and passes L7 information like cookies, from the client request, down to the request made to the inside tier, and passes cookies from the app tier back to the client.

Forum Discussion

Persistence and loadbalancing

14 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

rSeries Configuration Backup

Questions on Migrating configs from iSeries to RSeries F5s

AST Configuration help

reading Client SSL Profile details via Ansible

Raise your hand if you'll be at AppWorld 2026

Related Content

F5 XC – Persistence and Resiliency pt. I (persistence)

Double Trouble: Multiple Controllers Handling the Same Kubernetes LoadBalancer Service

Overview of MITRE ATT&CK Tactic : TA0003 - Persistence

Loadbalancing issue

Setting up persistence in F5 XC

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS