Forum Discussion

Mark_Cloutier's avatar
Mark_Cloutier
Icon for Nimbostratus rankNimbostratus
Jan 30, 2015

Using Encrypted persistence cookies with multiple LTMS

I have a dual datacenter architecture, using GTMs to load balance between datacenters, and in each datacenter I have a pair of LTMs that use cookie based persistence, so that if DNS persistence fails, the LTM in the opposite datacenter can still send the traffic back to the original webserver via an internal backhaul circuit. I use the same pool names so the persistence cookie will work in either datacenter. My question is if an LTM in one datacenter encrypts the persistence cookie, would the LTM in the other datacenter still be able to use it? I haven't been able to find much documentation on how the cookies are encrypted. My guess is that the LTM that encrypts it has a private key to unencrypt it, and that key probably wouldn't be available to the other pair of LTMs. Anyone have experience with this?

 

application delivery
availability
BIG-IP DNS
design
LTM

7 Replies

Sort By
  • Nick_T_68319's avatar
    Nick_T_68319
    Icon for Nimbostratus rankNimbostratus
    Jan 30, 2015

    Yeah as long as the cookie name matches and the secret phrase match it will be fine. I run the same setup.

     

  • Mark_Cloutier's avatar
    Mark_Cloutier
    Icon for Nimbostratus rankNimbostratus
    Jan 30, 2015

    Thanks Nick, I must have missed that part about using a secret phrase... that makes sense. I was worried it was going to be some internally generated private key like with a self-signed cert that might be painful to export and import....

     

  • Maverick09_1909's avatar
    Maverick09_1909
    Icon for Nimbostratus rankNimbostratus
    Mar 06, 2015

    Hi All, I am using F5 default cookie for persistence defined on virtual server which is the same name for both datacenter. I use irule to route the traffic to the original data center in case traffic goes to another data center. But it looks like the persistence cookie is getting reset when it goes to opposite data center since the persistence cookie identifying the server is invalid for this new data center. Now when traffic is routed back to original data center again the cookie is invalid, so the session goes to a different server. Now how can i stop the persistence cookie being reset when it goes to opposite data center and kick off routing to original data center before any cookie is reset?

     

    • Mark_Cloutier's avatar
      Mark_Cloutier
      Icon for Nimbostratus rankNimbostratus
      Mar 06, 2015
      The persistence cookie contains the pool name, so you need to use the same pool name in both datacenters, or in the irule that does the redirection back to the "correct" datacenter, make sure you are redirecting before a load balancing decision is made, with the associated persistence application.... BTW, I have to revisit my setup, when I encrypted mine, sites stopped working, need to do more investigation as to why....
  • Maverick09_1909's avatar
    Maverick09_1909
    Icon for Nimbostratus rankNimbostratus
    Mar 06, 2015

    Hi Mark. The pool name in both data center is same, so the default persistence cookie name is same in both data centers. Correct, that is my main issue: How do I do redirect before load balancing decision is made?

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Mar 07, 2015
      Are you trying to route the across an inter data center connection? I don't think a "redirect" is what you want. I actually have a solution that routes persistence across an inter dc connection if that's what you're looking to do. I don't want to hijack this thread for your question though. If you want to re-post the question in its own question I can share the solution we are using. I'm actually going to be presenting it at our next F5 user group meeting.