Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

HTTPS Virtual Server doesn't automatically direct existing connections to available pool member

Mick
Altocumulus
Altocumulus

‎06-Aug-2019 23:00

Hi

 

We have the following scenario, HTTPS VS presenting a web application configured with 2 pool members, when we are logged into the application and when we test a failover by shutting a web server down, the F5 doesn't direct the session to the other available pool member. We need to force a refresh on the browser for the connection to re-establish to the available pool member. Both VS and pool members are configured with HTTPS

 

We have:

VS - HTTPS

  • SSL Client profile with Verisign certificate
  • SSL Server inscure compatible
  • Using APM profile
  • persistence profile dest_addr
  • Pool with 2 members using round robin load balancing.

We have a pretty simple VS setup. I would have thought the F5 will automatically redirect the session to the next pool member, but i need to hit refresh on the browser.

 

Any tips?

Labels:
0 Kudos
8 REPLIES 8

JG
Cumulonimbus
Cumulonimbus

‎06-Aug-2019 23:54

Have you applied a "OneConnect" profile to the virtual server?

0 Kudos

Mick
Altocumulus
Altocumulus

‎07-Aug-2019 00:05

no i'm not, should I?

0 Kudos

JG
Cumulonimbus
Cumulonimbus
In response to Mick

‎07-Aug-2019 00:14

I would apply one. Please see "K7208: Overview of the OneConnect profile".

0 Kudos

Mick
Altocumulus
Altocumulus

‎07-Aug-2019 00:35

Thanks JG, i tried that but no luck.

I noticed in the ltm logs complaining about SSL Handshake to one of the web servers:

SSL Handshake failed for TCP web server:443 -> F5 SNAT:33968, not sure if thats causing an issue. The web servers are configured with SSL but are using self signed certs not imported to the F5

0 Kudos

JG
Cumulonimbus
Cumulonimbus
In response to Mick

‎07-Aug-2019 00:39

There is a knowledge article to assist troubleshooting: K15292: Troubleshooting SSL/TLS handshake failures.

0 Kudos

Mick
Altocumulus
Altocumulus

‎07-Aug-2019 00:46

thanks yes i saw this, would this be contributing to the issue i'm having though?

0 Kudos

JG
Cumulonimbus
Cumulonimbus

‎07-Aug-2019 01:02

"When a pool member fails to respond to a health monitor, the system marks that pool member down. Persistence entries associated with the pool member are removed when a new connection matches the entry or when the timeout period is reached. If a new connection matches a persistence record that has not timed out, the BIG-IP system removes the old persistence record and creates a new entry." (K15095: Overview of the Action On Service Down feature).

 

So a current or a persistent connection will still be forwarded to the failed server until the connection times out or is killed.

 

With a OneConnect profile, the load balance decision is made based on each HTTP request, not just at the beginning of a TCP connection, as I understand it.

 

It is probably better to get other issues (SSL) out of the way before testing this issue.

 

 

 

0 Kudos

Mick
Altocumulus
Altocumulus

‎08-Aug-2019 16:42

thanks JG, i've done some more testing and i think the issue is on the application side, i've tested the same VIP settings on another web application and it works ok

0 Kudos
Copyright © 2023 Khoros, LLC