Forum Discussion
Using LTM to SSL Offload a APM Server
Hi All,
Trying to solve a performance issue with a APM policy in front of a Jira based site. Everything works, but using APM and a Webtop slows down the Jira site quite significantly (2-3 times slower).
A suggestion was to use two virtual servers. One to as a basic SSL offload that then passes off to the APM running with a http only interface.
I have done the configuration of APM and can access Jira directly through http. Now, when I create another VS listening on 443, with a SSL Client profile, the server does not respond to requests.
With a tcpdump I can see the client connection being established, but when the F5 tries to connect to itself there is no traffic. Running a tcpdump I can see the F5 self-ip doing a ARP request for the APM based VS, but getting no response. So the F5 is trying to find a server, but does not know that it needs to talk to itself.
Tried to use a loopback address (e.g. 127.0.0.99) but the GUI won't let me. Also played with SNAT options but does not seem to make a difference. Sure it would be possible using two different F5's, but dont have that option.
I am sure I read somewhere about a known issue with trying to load balance a VS running on itself, but can't seem to find any reference to it.
Any guidance appreciated.
Regards, Jason
- Kevin_StewartEmployee
Just curious here, but can you elaborate on the reasoning to use two virtual servers? APM is a module that runs on top of LTM and is ultimately dependent on an LTM virtual server. Offloading SSL at the LTM VIP that has an access policy applied should not be any slower than an SSL offloading LTM VIP that then load balances to an APM VIP. Can you perhaps also elaborate on your APM configuration?
To pass traffic from one VIP to another on the same box, you would use the virtual command in an iRule on the external VIP, using the name of the internal VIP as reference:
when CLIENT_ACCEPTED { virtual [name of internal VIP] }
- Kevin_StewartEmployee
A webtop is a not a requirement for APM configurations. You typically need them for network access and portal resources, but for simple AAA services, they're not used at all. If you want to directly access the Jira-based website, not through an SSL VPN or through a portal rewrite, but still provide some form of pre-authentication and/or single sign-on, then simply create an access policy that includes whatever client side (AAA) auth mechanisms and server side (SSO) mechanisms you need, and no resource assignment (webtop).
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com