Forum Discussion
NimbostratusPersistent node across multiple VS
I have an application that communicate using both https and 8443/tcp port on the same back-end web server. Healthcheck is done by checking a server response on 8080/tcp port. There are a total of 2 web servers.
https service is setup using standard VS.
8443/tcp service using fastL4 VS since nothing else would work.
How should I setup the nodes so that the same node will always be servicing each client?
What options do I have regarding the healthcheck option?
Would it simplifies things if only one node can be active at any given time?
9 Replies
What_Lies_Bene1Cirrostratus
Just to clarify;
1) Does the client also communicate on these ports?
2) Do you have or can you get the SSL/TLS private key and certificate?
3) Is the 8443 traffic SSL/TLS also?
4) Do you want the same client to go to the same Pool Member, regardless of which Virtual Server is used?
Amnard1) Does the client also communicate on these ports?
Yes, initially, the client will communicate on https. If needed, it will talk on 8443/tcp.
2) Do you have or can you get the SSL/TLS private key and certificate?
Yes to both.
3) Is the 8443 traffic SSL/TLS also?
Doesn't seem to be since doesn't work.
4) Do you want the same client to go to the same Pool Member, regardless of which Virtual Server is used?
Yes, you worded it better than I can...
In case you are wondering and in case there's a guide out there already, this is for Shibboleth implementation.- What_Lies_Bene1OK, so, assuming it's OK terminating SSL at the F5 I'd recommend;
a) Configure the 443 VS to terminate the SSL and apply a custom Cookie Persistence profile (if the server currently terminates the SSL, some reconfiguration at the server may be required) and OneConnect profile
b) Configure the 8443 VS as a standard VS with a HTTP profile (no SSL profile) and apply the same Cooke Persistence profile and OneConnect profile
c) Use the a custom http monitor to do the health check for each pool (do not specify a port, it'll use the Pool Member port automatically). You could also use tcp_half_open but http is preferable.
If it's possible to use source IP address persistence, that might be more reliable with the 'Match Across Services and Pools' options enabled
You may need to do some tcpdumps on the F5 to better understand the port 8443 traffic? - Amnard
a) Already configured as you stated.
b) I will try doing as you suggested. I recalled it was one of the setup that I attempted before but didn't work--it wouldn't hurt to try again. So the end goal is to use the same Persistence and OneConnect profiles? Which profile would dictate the persistent node or do I need both profiles for that?
c) the problem is the healthcheck in on a totally different port 8080/tcp. I am considering doing the healthcheck on each node instead.
- What_Lies_Bene1b) The Cookie Persistence profile will control the persistence, the OneConnect profile ensures each request in a connection is persisted correctly
c) It's pointless doing the health check on a different port, why can't you point it to the correct ones? Do you have one Pool setup or two? - Amnardc) That's how the application is... If the app is operating correctly, we can verify its status over 8080/tcp. This covers individual services.
- What_Lies_Bene1Fair enough. So, do you have what you need do you think?
- AmnardYes, I will need to schedule a time to do b) since it is a production system and cross my finger that it won't break the app. I will be back if it's not working.
Thank for your help!!! - What_Lies_Bene1Let us know either way. Thanks
