Forum Discussion
Brian_Martinez_
Nimbostratus
NimbostratusPersistence from single IP address
We currently have an SSL VPN product in use to provide external access to internal applications. The most recent application will be hosted on several web servers in a web server farm. The issue is that we need load balancing as well as persistence between the session on the SSL VPN box and the web servers. Unfortunately, since the VPN box is terminating the SSL connection and acting as a proxy, the client never actually talks to anything outside the DMS. The SSL VPN box actually initiates all the requests. As a result, the thousands of users that are expected to use this app will have the same source IP. To add to the complexity, the SSL box terminates the SSL session, which proxies the clients request to the web servers. The VPN boxes will not pass a cookie to the clients, so we are prevented from doing cookie persistence. I was hoping to be able to do some sort of iRule to maintain persistence using the TCP port between the VPN box and the F5.
Is there an iRule that can maintain persistence based on TCP ports?
Thanks.
- JRahm
Admin
You could try something like this:when CLIENT_ACCEPTED { set src_IP [IP::client_addr] if { [session lookup uie $src_IP] equals "" } { session add uie $src_IP [TCP::remote_port] 1800 log local0. "added client port [session lookup uie $src_IP] for client ip $src_IP " } else { log local0. "existing client port [session lookup uie $src_IP] for client ip $src_IP" } }
The 1800 is time in seconds you want to keep the persistence record in the session table. The logging statements are for debugging/testing purposes, you can yank them after your testing is complete, or just comment them out.
