Forum Discussion
Thank you very much for the reply. It would be good to use oneconnect if possible, but I am not sure how to make that happen yet 😊
The lab setup I tried (please feel free to rubbish this setup and suggest any better alternatives) uses 1 pool per FQDN/HTTP combination. For example if I describe using just two pools for simplicity:
- {www.test.com with Header X = A} maps to Pool A
- {www.test.com with Header X = B} maps to Pool B
I then used a traffic policy to forward traffic to the appropriate pool based on this FQDN/HTTP combination.
Other than name, each pool is 100% the same – same single member (IP & port). The only reason I used different pools was to give different ‘targets’ to load balance to (very welcome to suggestions which only require 1 pool).
I then used an iRule to pick up LB_SELECTED events and assign the appropriate Server SSL profile based on the name of the pool chosen, with the profile actually being attached and used in the subsequent SERVER_CONNECTED event.
This appears to work OK, with a traffic profile along the lines of:
- {www.test.com with Header X = A}
first HTTP request received – create new server connection using server SSL profile A
- {www.test.com with Header X = A}
Any number of subsequent HTTP requests received with same FQDN/HTTP combination –LB_SELECTED doesn’t even trigger, traffic just goes across existing server connection OK
- {www.test.com with Header X = B}
HTTP request received with diff FQDN/HTTP combination – existing server connection closed (TCP FIN) and new connection established to same server but using server SSL profile B
- {www.test.com with Header X = B}
Again connection remains constant while subsequent HTTP requests present with the same FQDN/HTTP combination
- {www.test.com with Header X = A}
Cycle repeats…….
At the TCP level the two server connections (A & B) will be the same, i.e. client addr/port & server add/port will be the same. However the key difference is that each will have used a different server SSL profile, i.e.
Pool A connections use server SSL profile A
Pool B connections use server SSL profile B
Is the oneconnect TCP reuse pool aligned per LTM pool, or is it ‘global’? What is the relationship between TCP and SSL with regard to the idle connections in the reuse pool – i.e. are they purely TCP connections or do they also have active SSL sessions?
I did try enabling oneconnect but results were inconsistent, although usually it just kept all traffic going across the first connection established. I therefore assumed the oneconnect reuse pool was global rather than being a separate reuse pool per LTM pool. I also assume SSL remains established per TCP connection.
If you could help me understand how to amend the setup (happy to scrap what I have and go with something completely different) so as to leverage the power of oneconnect, but while still maintaining the key goal of ensuring the traffic is sent across a pipe which has used the correct server SSL profile it would be very much appreciated 😊
Basically the ideal goal would be traffic switching between two different ‘SSL pipes’ to the same server, similar to that listed above, but with each connection remaining up rather than only one being activated at a time. I know the objective of oneconnect is to keep connections active like that, but I need to understand more about what a oneconnect idle connection actually represents and how the F5 makes a decision on which one to choose – e.g. if it is purely on IP/port info, or if there is some way I can align this to account for the different server SSL profiles used as well.
Sorry, there is a lot to clarify and explain and possibly correct in that and I think we are getting beyond the scope of DevCentral. As I mentioned before, the name, usage, and configuration of a oneconnect profile is confusing and a little unintuitive. If you are expecting to see "one" connection per pool, you will definitely think it is behaving incorrectly, because it is not a "tunnel" or a "pipe" like you are saying. It is a tcp connection and it will never be used for multiple requests at the same time, it must be idle or a new connection will be created. In fact, some people put the default oneconnect profile on vips hoping for a "one click" performance improvement only to find they now have more serverside connections than before (especially if their non-oneconnect vip was layer 4 or was doing pipelining etc).
Ultimately, there is only so much that can be done here. If you are able to get something that works for you taking this conversation (and others here) into consideration, great. If not, you should probably work with someone with whom you can share specific config details and pcaps and get personalized consulting that should not be done over public internet.