Forum Discussion

rs232's avatar
rs232
Icon for Nimbostratus rankNimbostratus
Nov 29, 2022

Too many SSL connect for OPTIONS Request - CORS in Azure Kubernetes Cluster

Hi there, I am investigating a case where users report very slow page load. And the application is hosted in Azure Kubernetes Cluser (Azure CNI) having F5 as loadbalancer, Checkpoint Firewall and Traefik Ingress controller (just for details). 

  • Ingress coffiguration is set to serve the CORS requests 

However the users are seeing too high Initial and SSL connect time (Order of 1200-2000ms) only for HTTP 204 OPTIONS requests. We are unable to figure out the performance metric on F5 that could help us guage why these SSL connects are too slow. 

I suspect that the cyclic calls going between the PODs and the Load Balancer for SSL handshake/SSL Offload. 

I am not sure if F5 is having issue or any other stack. Any insights related to F5 would be very appreciated.

(As far my past experience, F5 SSL offload was misconfigured on app server caused cycles in the calls between web and app). 

Pl. see attached screenshot as well. 

 

cloud
devops

3 Replies

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Nov 30, 2022

    Hi rs232,

    what makes me wonder is that during the SSL negotiation only the User-Agent may know that the SSL channel will be later used for one of those OPTION requests. Hard to imagine that it could be a server side problem...

    What happens if you plug a SSL inspection forward proxy (e.g. fiddler) in the communication? 

    Using Wireshark with TLS inspection would be my next attempt to figure out what's happening on the wire during those negotiations? 

    Cheers, Kai

  • rs232's avatar
    rs232
    Icon for Nimbostratus rankNimbostratus
    Dec 02, 2022

    Ok, good idea. I will check for packet analaysis.