Forum Discussion
Users behind 1 IP not load balancing across pool members
I have a VIP configured with 6 servers, http profile, client and server ssl profile, and session cookie persistence with a 2 hour timer. My issue is users that are VPN'd in and using a single jump host to connect to a particular application is only connecting to 1 server. The servers have their own cookie (I think may be a part of the issue).
I asked a user to open multiple tabs to see if it would load balance across servers, but that did not seem to work. At this point, I am out of ideas.
VFB Are you positive they shouldn't be load balancing this way? Are you positive that each user isn't sharing their cookies if they are the same box? You should be able to verify what the F5 is receiving if you perform a tcpdump. You can also use the dev tools in the browser to confirm they are each receiving a unique cookie. I believe the following will get you what you want, just replace all this text <client_IP with the client IP that they are coming from. You can copy this off the F5 and open in wireshark to see if you can find anything that way.
tcpdump -nni 0.0:nnp <client_IP> -w /shared/tmp/testcapture.pcap
- VFB
Cirrus
I don't think the application is generating a new cookie, despite the user having to log in again if they open a new tab.
If a new cookie isn't being provided it's an issue on the jump host device. You need to make sure each user has their own profile that separates browser data per user.
I would recommend that you try adding a OneConnect (/32 mask) profile to the virtual server. This will instruct the BIG-IP to load balance and perform content switching on every HTTP request instead of once per TCP connection. This is an issue that I usually see when you have a proxy / CDN in front of the F5 BIG-IP which translates many client source IPs to a single proxy IP.
create ltm profile one-connect ONECONNECT-32 defaults-from oneconnect source-mask 255.255.255.255 modify ltm virtual <VS NAME> profiles add { ONECONNECT-32 }
Let me know if this helps.
- VFB
Cirrus
I have a OneConnect profile associated with the VIP and it didn't change anything.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com