Cookie Persistence Issue

Question

Our environment is setup as follows:&nbsp;
Reverse Proxy - Firewall - F5 LTM 1600s - Web Servers&nbsp;
The reverse proxy is in an internet facing DMZ, the F5s are behind a firewall in a non-internet facing DMZ (as are the web servers being served by the F5)&nbsp;
The reverse proxy is running Apache httpd 2.22&nbsp;
The F5 is running 10.2.3&nbsp;
The Web servers are running a .NET proprietary application that requires some form of sticky persistence. I say "some form" because ideally, we'd want affinity, but the load balancing was off, so we're exploring other options without success (SSL and Cookie based persistence)&nbsp;
 &nbsp;
Traffic is encrypted to the internet facing web site on the Reverse Proxy. It is decrypted for processing in the rev proxy, and then re-encrypted when sent to the site on the F5.&nbsp;
We are doing it this way because we also have an internal route setup directly to the web application via the F5 device that requires encryption.&nbsp;
AND, to complicate things even further, we have a single sign on application also being used through the same reverse proxy connection (just with a different URI context).&nbsp;
 &nbsp;
My first question is this - has anyone ever done this with the sticky session requirement, and had success? If so, how?&nbsp;
If not, then I'd like some input on how to get it to work.&nbsp;
 &nbsp;
The basic problem is that (according to the application developers) the session seems to be not handled properly and it is losing any level of stickiness it should have -though he cannot provide me with any specific logs to back up his assertion. The reverse proxy access logs do not indicate where these disconnects are occurring and I don't have any real level of traffic monitoring enabled in the F5 to try to see if that's where it is occurring. Sometimes I feel like the application developers are hiding from their bad outdated code by blaming it on the reverse proxy or F5, but I'm not entirely convinced it's any of my equipment (I'm just the infrastructure guy).&nbsp;
 &nbsp;
I would imagine this will require more info from me, so let me know what else you want to know. Any help would be most appreciated.&nbsp;

nitass · Answer

bigip is doing ssl offloading, isn't it? do you have web server's private key? if so, is it possible to try cookie persistence again and run tcpdump/ssldump on bigip to see what wrong is? 
&nbsp;  
&nbsp; in case if you are unable to have the key, you may try logging in irule to see if it is helpful. 
&nbsp;  
&nbsp; just my 2 cents.

deltarho2k_2167 · Answer

Yes, BigIP is doing SSL offloading from the web application (using server's cert/key pair). The SSL termination from the BigIP is occurring at the Reverse Proxy (so we're decrypting and encrypting twice in the route). I will try the tcpdump/ssldump to see if I can see anything there. 
&nbsp;  
&nbsp; Do you have an example of an iRule that may be handy for logging purposes as you describe?

nitass · Answer

Do you have an example of an iRule that may be handy for logging purposes as you describe?i think we may start from an example in codeshare and add whatever information you want. please make sure system is not overwhelmed by logging. 🙂 
  
 Log Http Headers by Aaron 
 https://devcentral.f5.com/wiki/irules.loghttpheaders.ashx 
  
 e.g. 
  
 [root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
   set host [HTTP::host]
   set uri [HTTP::uri]
   set client "[IP::client_addr]:[TCP::client_port]"
   log local0. "$client | Host: $host | URI: $uri"
   foreach aHeader [HTTP::header names] {
      log local0. "$client | $aHeader: [HTTP::header value $aHeader]"
   }
}
when HTTP_RESPONSE {
   set server "[IP::server_addr]:[TCP::server_port]"
   log local0. "$client | $server | Host: $host | URI: $uri | Status: [HTTP::status]"
   foreach aHeader [HTTP::header names] {
      log local0. "$client | $server | $aHeader: [HTTP::header value $aHeader]"
   }
}
}

[root@ve10:Active] config  tail -f /var/log/ltm
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | Host: 172.28.19.252 | URI: /
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | Accept: */*
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | Accept-Language: en-US
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; MS-RTC LM 8; .NET4.0E)
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | Accept-Encoding: gzip, deflate
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | Host: 172.28.19.252
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | Connection: Keep-Alive
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | Cache-Control: no-cache
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | 200.200.200.101:80 | Host: 172.28.19.252 | URI: / | Status: 200
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | 200.200.200.101:80 | Date: Tue, 30 Apr 2013 14:20:27 GMT
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | 200.200.200.101:80 | Server: Apache/2.2.3 (CentOS)
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | 200.200.200.101:80 | Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | 200.200.200.101:80 | ETag: "4183f3-59-f28f94c0"
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | 200.200.200.101:80 | Accept-Ranges: bytes
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | 200.200.200.101:80 | Content-Length: 89
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | 200.200.200.101:80 | Keep-Alive: timeout=15, max=100
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | 200.200.200.101:80 | Connection: Keep-Alive
Apr 30 22:09:45 local/tmm info tmm[4950]: Rule myrule : 192.168.206.44:64814 | 200.200.200.101:80 | Content-Type: text/html; charset=UTF-8

Forum Discussion

Cookie Persistence Issue

3 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

About IPI check ip list

Related Content

Decoding the IPv4 address from the persistence cookie

Persistence Cookie Logging

Set the SameSite Attribute for LTM Persistence Cookies

Cookie Persistence and Troubleshooting

Removal of Client Side F5 Persistence Pool Cookie