cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

OneConnect with /32

Hi there,

sorry for bringing up this topic with another new thread, but all the official F5 documentations as well as several devcentral posts doesn't 100% answer my question.

Is there any "special" feature, which is only enabled with a OneConnect mask of /32?

I mean this connection balancing vs. request balancing, which becomes important e.g. with Akamai clients and Cookie persistence or any special iRule business logic. It's always stated, that you should enable OneConnect with /32, but no further details why exactly with /32. Does the OneConnect profile (in combination with the HTTP profile) solves the issue or is it just with the /32 mask? Or is this maybe also depending on other settings like the usage of SNAT, where with the standard SNAT automap option and just a single floating IP all clients are "mapped" to the same sourceIP, so the OneConnect mask doesn't matter at all.

Any more details or background information would be very helpful!

Thank you!

 

Ciao Stefan 🙂

1 REPLY 1

cjunior
Nacreous
Nacreous

Hi, 

As far as I know, OneConnect profile "solve persistence issues" when you are working with CDN and multiple requests over a single connection (HTTP pipelining or else).

Before sending a request to the server, OneConnect tells to BIG-IP to first detach server-side previous used to that source mask, then decide to reuse a connection or perform a load balance and persistence when needed. In another words, with a OneConnect profile, BIG-IP process each HTTP request individually and without it, BIG-IP performs load-balancing only once for each connection.

 

In my understanding, since a CDN is a proxy source for many clients (acting as SNAT), the host source mask /32 is a way to tell to BIG-IP to only reuse connections from same source IP to load balancing the traffic better.

Because as more generic the OneConnect are in source mask, as more server connection reuses it will have, consequently less load balancing will be necessary or performed.

 

When I don't need all benefits from OneConnect within CDN topologies, I use to write an iRule to detach server-side connections as described here:

https://support.f5.com/csp/article/K7964

 

I hope it helps.

 

Best regards