Persisting SSL Connections
Many customers use LTM to handle SSL encrypted traffic, and traffic that requires SSL certificate authentication and encryption often also requires persistence to a specific server for the life of an...
Published Aug 06, 2008
Version 1.0Deb_Allen_18
Historic F5 Account
Joined September 25, 2004
Deb_Allen_18
Historic F5 Account
Joined September 25, 2004
mrjenkins_64144
Mar 27, 2009Nimbostratus
Beware! Do not configure a "OneConnect" profile on an SSL passthrough virtual server. OneConnect causes the load balancer to retain the backend server connection even when the client drops the connection to the virtual server. A subsequent new TCP connection from a client trying to re-establish an existing SSL session will send an unencrypted "client hello" to the virtual server. The load balancer will then send this unencrypted message to the real server over the TCP connection where the real server expects to see only encrypted traffic. When the real server "decrypts" the message that isn't encrypted, the connection (and session) will fail. Turning off OneConnect causes the load balancer to drop the backend connection whenever the client drops the frontend connection, and the unencrypted "client hello" will be sent over a new backend TCP connection. We ran into this recently, as Internet Explorer 7 exhibits different SSL session establishment than IE6. IE7 in our case drops the TCP connection to the virtual server before any app data is exchanged, and starts up a new TCP connection to complete the SSL establishment. IE6 didn't do this, and worked even though we had OneConnect enabled on the SSL virtual server. Turning off OneConnect allowed IE7s new behavior to work as well.