Persisting SSL Connections

Beware! Do not configure a "OneConnect" profile on an SSL passthrough virtual server. OneConnect causes the load balancer to retain the backend server connection even when the client drops the connection to the virtual server. A subsequent new TCP connection from a client trying to re-establish an existing SSL session will send an unencrypted "client hello" to the virtual server. The load balancer will then send this unencrypted message to the real server over the TCP connection where the real server expects to see only encrypted traffic. When the real server "decrypts" the message that isn't encrypted, the connection (and session) will fail. Turning off OneConnect causes the load balancer to drop the backend connection whenever the client drops the frontend connection, and the unencrypted "client hello" will be sent over a new backend TCP connection. We ran into this recently, as Internet Explorer 7 exhibits different SSL session establishment than IE6. IE7 in our case drops the TCP connection to the virtual server before any app data is exchanged, and starts up a new TCP connection to complete the SSL establishment. IE6 didn't do this, and worked even though we had OneConnect enabled on the SSL virtual server. Turning off OneConnect allowed IE7s new behavior to work as well.