Forum Discussion
Thank you very much for the reply. It would be good to use oneconnect if possible, but I am not sure how to make that happen yet 😊
The lab setup I tried (please feel free to rubbish this setup and suggest any better alternatives) uses 1 pool per FQDN/HTTP combination. For example if I describe using just two pools for simplicity:
- {www.test.com with Header X = A} maps to Pool A
- {www.test.com with Header X = B} maps to Pool B
I then used a traffic policy to forward traffic to the appropriate pool based on this FQDN/HTTP combination.
Other than name, each pool is 100% the same – same single member (IP & port). The only reason I used different pools was to give different ‘targets’ to load balance to (very welcome to suggestions which only require 1 pool).
I then used an iRule to pick up LB_SELECTED events and assign the appropriate Server SSL profile based on the name of the pool chosen, with the profile actually being attached and used in the subsequent SERVER_CONNECTED event.
This appears to work OK, with a traffic profile along the lines of:
- {www.test.com with Header X = A}
first HTTP request received – create new server connection using server SSL profile A
- {www.test.com with Header X = A}
Any number of subsequent HTTP requests received with same FQDN/HTTP combination –LB_SELECTED doesn’t even trigger, traffic just goes across existing server connection OK
- {www.test.com with Header X = B}
HTTP request received with diff FQDN/HTTP combination – existing server connection closed (TCP FIN) and new connection established to same server but using server SSL profile B
- {www.test.com with Header X = B}
Again connection remains constant while subsequent HTTP requests present with the same FQDN/HTTP combination
- {www.test.com with Header X = A}
Cycle repeats…….
At the TCP level the two server connections (A & B) will be the same, i.e. client addr/port & server add/port will be the same. However the key difference is that each will have used a different server SSL profile, i.e.
Pool A connections use server SSL profile A
Pool B connections use server SSL profile B
Is the oneconnect TCP reuse pool aligned per LTM pool, or is it ‘global’? What is the relationship between TCP and SSL with regard to the idle connections in the reuse pool – i.e. are they purely TCP connections or do they also have active SSL sessions?
I did try enabling oneconnect but results were inconsistent, although usually it just kept all traffic going across the first connection established. I therefore assumed the oneconnect reuse pool was global rather than being a separate reuse pool per LTM pool. I also assume SSL remains established per TCP connection.
If you could help me understand how to amend the setup (happy to scrap what I have and go with something completely different) so as to leverage the power of oneconnect, but while still maintaining the key goal of ensuring the traffic is sent across a pipe which has used the correct server SSL profile it would be very much appreciated 😊
Basically the ideal goal would be traffic switching between two different ‘SSL pipes’ to the same server, similar to that listed above, but with each connection remaining up rather than only one being activated at a time. I know the objective of oneconnect is to keep connections active like that, but I need to understand more about what a oneconnect idle connection actually represents and how the F5 makes a decision on which one to choose – e.g. if it is purely on IP/port info, or if there is some way I can align this to account for the different server SSL profiles used as well.
Thanks again for the reply.
Apologies for the confusion in the terms that I used. Please note that I do not expect multiple clientside TCP connections to be multiplexed onto a single serverside TCP connection. I was saying one serverside connection per pool because I was focusing on the simple example being discussed – a single clientside TCP connection which in my case should result in 2 completely separate TCP connections serverside – one per pool (one ACTIVE, one IDLE, assuming IDLE hadn’t timed out yet). This same connection layout would then scale up as new concurrent clientside connections were activated.
In fact in my case the traffic profile is sort of round the other way to how oneconnect is normally used. Depending on traffic volume/profile I would generally expect to see more serverside connections than clientsdie in my specific case, whereas the normal deployment would generally result in fewer serverside connections compared to clientsdie.
I used the term “pipe” because the simple term TCP connection seems a little to vague to me. All the oneconnect documentation I have read simply mentions TCP connections, but as I see it these connections are much more than that. They are fully established connections using higher level protocols ready to take Layer 7 HTTP request/response messages. In my case the important piece of info that the term “TCP connection” leaves out is regarding SSL. So I should maybe use (TCP+SSL-A) and (TCP+SSL-B). At the TCP level these two connections will look exactly the same, but if you take the higher level protocol stack into consideration they are actually very different connections (what I meant by “pipe” – I realise though that I said it with no explanation/context so it will have been very confusing, apologies).
It feels to me like oneconnect is working solely at the TCP level and ignoring the higher level components. This would work fine for a normal setup where the Virtual Server had just one server SSL profile – however in my case I use different server SSL profiles which it feels like oneconnect may simply ignore.
However I realise I probably have this wrong, as a more normal scenario would be the F5 acting as reverse proxy in front of a number of internal webservers which host multiple domains and use SNI to confirm which connection aligns with which FQDN. I assume oneconnect must have a way to cope with this situation and if I understood that operation then elements of it would likely be relevant in my case.
Anyway I see that this is getting too complicated to bottom out in the format of this forum. Thank you for taking the time to try to help though, it is greatly appreciated 😊