Forum Discussion
J_T__47709
Nimbostratus
NimbostratusProblem with SSL termination on LTM...
I couldn't configure LTM to balance https traffic to different pools (same target servers but different ports), depending on client IP address (using iRule), so I tried another approach...SSL termination on LTM.
For test purposes I created dummy SSL certificate on LTM and clientSSL profile for my certificate/key combination...configured VS to use that clientSSL profile and...
Everything was working fine (decrypting client packets and sending them in clear text to target server and encrypting clear text responses before returning them to client) WHILE I had only one member in the pool. If I tried to add another member in the pool, packets would continue to go to the 1st member like nothing happened.
I even tried to disable 1st member but than I didn't get any response (nothing was going to 2nd member in the pool).
After I removed 1st member from the pool and left only 2nd member everything was working fine again.
Does anybody know what should I do to solve this problem?
Thanks.
J.T.
5 Replies
- The_BhattmanI had the same issue. I had to change the state in the member properties to only active accontions are allowed on top of the disable because of persistance was enabed.
hoolioCirrostratus
I couldn't configure LTM to balance https traffic to different pools (same target servers but different ports), depending on client IP address (using iRule), so I tried another approach...SSL termination on LTM.
The BIG-IP is probably more efficient at decrypting the SSL than the servers, but if you wanted to try your original goal of passing the SSL through encrypted, you could try two different options:
1. Create a single virtual server on port 0 (any) pointing to a single pool with the pool members also defined on port 0. Disable port translation on the virtual server so that requests to 80 go to the pool on port 80, etc. Add a source address persistence profile and you should see requests persisted to the same pool member regardless of whether the request is on 80 or 443. To restrict access to just port 80 and port 443, you could add a rule which checks the requested port in CLIENT_ACCEPTED and rejects all but 80 and 443. Else, you could use packet filters to do this.
2. You could create one VIP on port 80 and a second on 443. The pool members would also be configured on the same port. Add a custom source address persistence profile to both VIPs with 'Match Across Services' enabled.
Aaron- J.T.: You should be able to LB both ways using your iRule (with or without SSL termination).
The real issue is the one to which cmbhatt alluded: The state change to "Disabled" didn't do what you expected, most likely because persistence was enabled in the pool and you were testing from only 1 IP address.
Pool members & node addresses can be set to one of 3 states:
Enabled: Allows all connections
Disabled: Allows existing connections to continue, & accepts new connections with valid persistence tokens
Forced offline: Allows only existing connections to continue
To replicate the action of removing the server from the pool, set the state to "Forced offline" instead of "Disabled"
(Look for this topic as the inaugural effort for our new "Post of the Week" video series. Will post a link when it's up.)
HTH
/deb 
J_T__47709Thank you all for all your suggestions and help.
Best regards,
J.T.
