what is appropriate way to use SSL::disable serverside/ SSL::enable serverside

Hi,

 

 

we last week introduced a similar setup in our environment (server side ssl for a selected pool) and had similar problems with performance.

 

 

We had the following symptoms:

 

- 20% CPU increase

 

- significant less active session than before

 

- significant more new conn/sec than before

 

 

I had used the same approach as the orginal poster.

 

At the beginning of the irule added:

 

when CLIENT_ACCEPTED {

 

SSL::disable serverside

 

}

 

 

and under the HTTP_REQUEST event I enabled serverside ssl only for the pool required.

 

 

Our assumption was that since the pool with the serverside ssl is hit during the users login procedure, somehow the F5 is trying serverside ssl to the other pools. But when we removed the call to the serverside ssl pool in the login procedure the problems did not dissappear. On an application level they removed the call to the pool where serverside ssl was required. The conclusion in this post was that once the serverside ssl pool was hit the F5 kept trying serverside ssl to the other pools, but if you are not hitting the serverside ssl pool wouldn't it show normal behaviour?

 

 

What would your advise?

 

 

Modify the irule to disable serverside ssl in the SERVER_CONNECTED event as suggested by Tarsier?

 

 

when SERVER_CONNECTED {

 

if { not ( [LB::server pool] eq Target.Pool.Name.For.SSL.Enable) } {

 

SSL::disable }

 

}