Forum Discussion
NimbostratusUsing Encrypted persistence cookies with multiple LTMS
I have a dual datacenter architecture, using GTMs to load balance between datacenters, and in each datacenter I have a pair of LTMs that use cookie based persistence, so that if DNS persistence fails, the LTM in the opposite datacenter can still send the traffic back to the original webserver via an internal backhaul circuit. I use the same pool names so the persistence cookie will work in either datacenter. My question is if an LTM in one datacenter encrypts the persistence cookie, would the LTM in the other datacenter still be able to use it? I haven't been able to find much documentation on how the cookies are encrypted. My guess is that the LTM that encrypts it has a private key to unencrypt it, and that key probably wouldn't be available to the other pair of LTMs. Anyone have experience with this?
7 Replies
Nick_T_68319Yeah as long as the cookie name matches and the secret phrase match it will be fine. I run the same setup.
Mark_CloutierThanks Nick, I must have missed that part about using a secret phrase... that makes sense. I was worried it was going to be some internally generated private key like with a self-signed cert that might be painful to export and import....
- Maverick09_1909
Hi All, I am using F5 default cookie for persistence defined on virtual server which is the same name for both datacenter. I use irule to route the traffic to the original data center in case traffic goes to another data center. But it looks like the persistence cookie is getting reset when it goes to opposite data center since the persistence cookie identifying the server is invalid for this new data center. Now when traffic is routed back to original data center again the cookie is invalid, so the session goes to a different server. Now how can i stop the persistence cookie being reset when it goes to opposite data center and kick off routing to original data center before any cookie is reset?
- Mark_CloutierThe persistence cookie contains the pool name, so you need to use the same pool name in both datacenters, or in the irule that does the redirection back to the "correct" datacenter, make sure you are redirecting before a load balancing decision is made, with the associated persistence application.... BTW, I have to revisit my setup, when I encrypted mine, sites stopped working, need to do more investigation as to why....
- Maverick09_1909
Hi Mark. The pool name in both data center is same, so the default persistence cookie name is same in both data centers. Correct, that is my main issue: How do I do redirect before load balancing decision is made?
Brad_ParkerCirrus
Are you trying to route the across an inter data center connection? I don't think a "redirect" is what you want. I actually have a solution that routes persistence across an inter dc connection if that's what you're looking to do. I don't want to hijack this thread for your question though. If you want to re-post the question in its own question I can share the solution we are using. I'm actually going to be presenting it at our next F5 user group meeting.
- Maverick09_1909
Hi All, I have created another thread "https://devcentral.f5.com/questions/cookie-persistence-in-dual-datacenter" to not hijack this thread. Thanks.
