Forum Discussion

portoalegre's avatar
portoalegre
Icon for Nimbostratus rankNimbostratus
Feb 20, 2013

HTTPS Persistence (Sharing load)

I have pair of DMZ servers load balanced using an F5 which is also on the DMZ.

 

1 VS listening on port 443 (this VIP has a client SSL cert configured on the VIP)

 

behind this VS sits a server pool with 2 servers listening on port 8000

 

Everything is working apart from share load between the 2 servers, we are using Source based IP persistence and unfortunately there are hundreds of different client connections but all these clients are source NATed on the Firewall to a single HIDE NAT for security purposes. Which means the F5 always sees the same Source IP and sends the connection to the same server, this server is getting busy!

 

Is there any other way I could make or share the load across servers in this scenario? At the moment I can't think of any.

 

config
design

10 Replies

Sort By
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Feb 20, 2013
    portoalegre

     

     

    How about using Cookie Persistence?

     

     

    Rgds

     

    N
  • portoalegre's avatar
    portoalegre
    Icon for Nimbostratus rankNimbostratus
    Feb 21, 2013
    Isn't cookie persistence for HTTP connections only not HTTPS. Cookie persistence only supports the HTTP protocol.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 21, 2013
    Cookie persistence is supported in the HTTP protocol, not to be confused with HTTPS which is HTTP over SSL. HTTPS isn't a protocol unto itself. Plus, the fact that you have a client SSL profile applied to the VIP means you're decrypting the HTTPS traffic at the BIG-IP, which means it can see the clear text HTTP data and can absolutely utilize cookies for persistence.
  • pete_71470's avatar
    pete_71470
    Icon for Cirrostratus rankCirrostratus
    Feb 21, 2013
    What is the load balancing method used for the pool? A connection must first have been balanced to a node for persistence to keep sending connections to that node, so something else (priority group, balancing method, ratio, rule, etc) must be keeping just one node busy.
  • portoalegre's avatar
    portoalegre
    Icon for Nimbostratus rankNimbostratus
    Feb 22, 2013

    pete

     

    pool servers both listening on port 8000

     

    Ratio 1 for both servers

     

    Priority Group 0 for both

     

     

    VS

     

    all settings default expect at this stage using Default Persistence Profile source_addr

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Feb 22, 2013
    You didn't mention what load balance method you're using e.g. round robin.

     

     

    Anyway, have you tried cookie persistence to see if this works?

     

     

    N
  • portoalegre's avatar
    portoalegre
    Icon for Nimbostratus rankNimbostratus
    Feb 22, 2013
    .........least connections

     

     

    I've already tried cookie persistence and this doesn't work. You have to add a HTTP profile (used default).
  • portoalegre's avatar
    portoalegre
    Icon for Nimbostratus rankNimbostratus
    Feb 22, 2013
    Nathan - In regards to cookie persistence using the HTTP profile, if the servers are listening on port 8000 and not port 80, would that cause a problem.

     

    Port 80 is open on each server but the application team has requested to listen on port 8000 for F5 purposes, customer connects to VS HTTPS port 443 (I've used standard tcp health check)
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Feb 22, 2013
    It's pretty normal to have the real servers listening on different ports, the port 'translation' is automatic. This would not affect Persistence in any way.
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Feb 22, 2013
    Thanks Steve, been offline for a while.

     

     

    Anyway, when you tried cookie persistence could you see an f5 cookie on the client and see it in the http traffic (fiddler / httpfox)?

     

     

    Perhaps an anonymised copy of your VS might be an idea and what LTM version you're running.

     

     

    N