Forum Discussion

williamcs's avatar
Icon for Nimbostratus rankNimbostratus
Sep 04, 2023

Persistence for https

How to remain the client to the same pool member in the https traffic if not enable ssl profile in F5?

I have tried cookie persistence but failed because I don't enable client ssl profile. I have try source address persistence but it's not working if client ip was changed. 


4 Replies

  • Hello,

    I think you can try terminating SSL connection by adding SSL profile, as the best way for http persistence is the cookie option. And as you mentioned, you cannot use it without SSL profile.

    or you can try changing the source address settings to increase the mask from /32 to /24 for example, to match on larger range of IPs instead of one. so if a client IP changed but within the subnet, F5 can still find a match for the client.



  • Hi williamcs , 
    Like Mohamed_Salah_  recommended in Source address affininty method. 

    Just I want to add , if you don't want to do any ssl terminations through F5 bigip. 
    I recommend to use ssl-proxy feature with adding ( Client and server ssl profiles ) , using this bigip will let the backend servers to do ssl negotiations and bigip will be in between ( client - servers ) and see the http payload dycrypted but without any actions or participating in ssl negotiations. 

    So using this you can meet your current deployment of making bigip not to negotiate on ssl and bigip will be able to insert cookie persistence. 

    ssl-proxy is very useful when you want to secure your application through AWAF policies without terminating ssl connections , also u can use it to work with irules or inserting cookies , 

    in the following article , you will know how to deploy SSL-PROXY feature with steps :


  • Thank you for your fast reply. 

    But end user's security team is not allow us to install ssl cert in F5. So I'm not able to use any ssl profile.

    Do I have another way to do it? 

    • well williamcs , 

      in this case you have to follow Mohamed_Salah_  recommendation of extending Source address affininty persistence subnet range and monitor the flows. 

      you can't use cookies without ssl decryption and http profile as well.