How useful is SSL mirroring when clustering?

Question

When clustering, persistence mirroring is a no-brainer, and connection mirroring can also be useful under the right circumstances, but how about SSL connection mirroring? (https://support.f5.com/csp/article/K7216) Is there a clear performance benefit for the F5 / Client or a security benefit?&nbsp;
From what I've heard/read (hardly reliable sources... ;), it may be useful in very large scenarios where you are dealing with very large numbers of SSL sessions and a failover event would otherwise trigger all these SSL connections to re-establish, putting a lot of strain on the system.
At the same time, for many smaller systems, that initial strain might be manageable compared to the additional overhead of the synchronization that the SSL synchronization may not be worth it. Not to mention other issues such as the recently discovered bug that means you have to disable SSL caching. (https://cdn.f5.com/product/bugtracker/ID760406.html) Meaning you are now trading one benefit for another...&nbsp;
Anybody got any ideas or able to shed any light on it??&nbsp; Thanks in advance!&nbsp;

mike757 · Accepted Answer

Hi, AlexBugs apart (let's assume we live in a perfect world for a minute), I always like to activate mirroring when I know traffic is SSL-based, whether the F5 terminates SSL sessions or not.The idea is precisely what you mentioned - making life easier for endpoints, who don't have to recreate all the SSL sessions in the event of a failover. If you don't have SSL termination, or if you do but re-encrypt traffic for the server-side, "endpoints" means client and server. You may not be worried with performance issues on the client machine, but tipically you want to take that load off your servers, even if it means putting a little extra load on the F5 machines.About performance on the F5 itself, the only way to know if you are having a big impact is by monitoring. If your system is very underloaded, even when doing mirroring, I would say keep it that way. If you are near any limits (CPU or RAM), disabling mirroring might help if there are a big number of sessions./Mike

kai_wilke · Answer

I honestly like your idea to make life easier for endpoints. I may revisit my past decisions, because of this clear simple point of view... 😉
Thanks and Cheers, Kai

kai_wilke · Answer

Hi Alex,
Your "hardly reliable source" might be right, that it could be a used to flatten performance spikes during failovers, but on the other hand introduces new challenges and performance implications. Its an individual tradeoff decission to make based on a specific setup and workload....&nbsp;
Personally I never considered to enable "Connection" or "SSL connection" mirrorring for HTTPS sites. For other services which are more dependant on the underlying TCP channel and TLS connection (e.g. LDAPS) it makes much more sense to enable...
Cheers, Kai

alexbct · Answer

Kai_Wilke&nbsp;Mike757&nbsp;
Many thanks for both insights - it's good to have multiple points of view (and good to know that I wasn't missing something obvious 😉&nbsp;

Forum Discussion

How useful is SSL mirroring when clustering?

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

F5 Connection Mirroring question

Use F5 Distributed Cloud to Connect Apps Running in Multiple Clusters and Sites

F5 BIG-IP deployment with OpenShift - multi-cluster architectures

F5 BIG-IP per application Red Hat OpenShift cluster migrations

Deploy Failover BIG-IP Cluster with New Stack in Google Cloud using v2 Templates