For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MW1's avatar
MW1
Icon for Cirrus rankCirrus
Apr 15, 2014

SSL persistence method even though the SSL session is being terminated

All minor question on some F5 config I have inherited that caught me out. Virtual server listening on HTTPS on the front end, and communicating on plain HTTP to the backend pool of servers. The persi...
application delivery
design
LTM
Kevin_K_51432's avatar
Kevin_K_51432
Historic F5 Account
Apr 16, 2014

Hi MW, It looks like the only restrictions are using an SSL Server Profile and Client Authentication. Some additional details:

 

https://support.f5.com/kb/en-us/solutions/public/3000/000/sol3062.html?sr=36697813

 

Be careful of using source address as backup. If connections come through a proxy or the timeout is longer for the source IP, it will overtake the SSL ID Persistence.

 

Kevin

 

What_Lies_Bene1's avatar
What_Lies_Bene1
Icon for Cirrostratus rankCirrostratus
Apr 17, 2014
Thanks Kevin. I finally found my notes from the other Kevin, as follows: "on some older platforms, the SSL session ID isn’t stored globally; it’s stored within the TMM handling that connection. Therefore a CMP system may create multiple different persistence records for connections within a single session. Disabling CMP on the Virtual Server overcomes this issue but this is not ideal." - I'd assume this isn't really an issue anymore with the various TMOS and platform upgrades since then.