Too many SSL connect for OPTIONS Request - CORS in Azure Kubernetes Cluster

rs232 · ‎29-Nov-2022

Hi there, I am investigating a case where users report very slow page load. And the application is hosted in Azure Kubernetes Cluser (Azure CNI) having F5 as loadbalancer, Checkpoint Firewall and Traefik Ingress controller (just for details).

Ingress coffiguration is set to serve the CORS requests

However the users are seeing too high Initial and SSL connect time (Order of 1200-2000ms) only for HTTP 204 OPTIONS requests. We are unable to figure out the performance metric on F5 that could help us guage why these SSL connects are too slow.

I suspect that the cyclic calls going between the PODs and the Load Balancer for SSL handshake/SSL Offload.

I am not sure if F5 is having issue or any other stack. Any insights related to F5 would be very appreciated.

(As far my past experience, F5 SSL offload was misconfigured on app server caused cycles in the calls between web and app).

Pl. see attached screenshot as well.

rs232 · ‎29-Nov-2022

Kai_Wilke · ‎29-Nov-2022

Hi rs232,

what makes me wonder is that during the SSL negotiation only the User-Agent may know that the SSL channel will be later used for one of those OPTION requests. Hard to imagine that it could be a server side problem...

What happens if you plug a SSL inspection forward proxy (e.g. fiddler) in the communication?

Using Wireshark with TLS inspection would be my next attempt to figure out what's happening on the wire during those negotiations?

Cheers, Kai

—
iRule can do… 😉

rs232 · ‎02-Dec-2022

Ok, good idea. I will check for packet analaysis.

DevCentral

Too many SSL connect for OPTIONS Request - CORS in Azure Kubernetes Cluster

Khoros Kudos Award 2022