Strange errors...

I would guess that the SSL session ID is changing. Take a look at SOL1024 on AskF5.com for details on the limitations of persisting on SSL session IDs (Click here)

 

 

Aaron

Hmmmm.... I terminate SSL connection on BiGIP and then connection to app is on normal 80 port. I have persistence set to dest_addr (by default configured on BiGIP) for HA purposes. Do You know better solution? My platform version is "9.2.3 Build 34.8" so it is newer that in SOL1024...

Sorry for the confusion. You're not persisting based on the SSL session ID, but you're using it to verify sessions.

I wouldn't suggest using destination address persistence for a standard (non network) virtual server. The destination address for all requests will be the same so all client requests would be persisted to the same node. Try changing to source address persistence or cookie persistence. For more info on persistence options check the LTM config guide for your version on AskF5.

[EDIT: you can view the persistence records from the command line using 'b persist show all' or in the GUI under Overview >> Statistics >> Persistence Records]

And actually, it looks like you're adding the session information with a timeout of 180 seconds. I missed that when I first looked at your rule.

If you extend the timeout from 180 to something longer, do you still encounter the failure?

If so, try adding logging to your rule to see what's happening:

when CLIENTSSL_CLIENTCERT {   
   set ssl_cert [SSL::cert 0]   
   log "client [IP::client_addr] - \$ssl_cert: $ssl_cert"
   session add ssl [SSL::sessionid] $ssl_cert 3600
}
when HTTP_REQUEST {   
   set client_cert [session lookup ssl [SSL::sessionid]]   
   log "client [IP::client_addr] - \$client_cert: $client_cert, [X509::whole $client_cert]"
   HTTP::header replace SSLCertificate [X509::whole $client_cert]
}

Aaron

It seems to work now! Thank You very much - stupid error - I didn't look on the 180 parameter......