SSL persistence method even though the SSL session is being terminated

Question

All minor question on some F5 config I have inherited that caught me out. Virtual server listening on HTTPS on the front end, and communicating on plain HTTP to the backend pool of servers. The persistence is set to use SSL for the primary and src addr as the fallback.&nbsp;
I read the F5 kb and it states:
SSL: SSL persistence is persistence option specifically intended for use with non-terminated SSL sessions, and tracks the server to which connectins shoud be sent using the SSL session ID.&nbsp;
I guess I mis-understood the KB as I thought that meant it would not work with terminated SSL sessions, however  it is appearing it does (I presume it must look at the SSL session ID on the "frontside" rather than once it has terminated the SSL to route on to the backend server pool.&nbsp;
Does anyone have experince to confirm the above, and also is there any reasons not to use this tracking method if terminating the SSL sessions on the F5?&nbsp;
Thanks in advance&nbsp;

what_lies_bene1 · Answer

I believe it does work as you've found. I can't find my notes on it just now but Kevin stated it was possible, I'm pretty sure he also said you should use source address as a backup. I'll see if I can dig those notes out later and provide more detail.

kevin_k_51432 · Answer

Hi MW,
It looks like the only restrictions are using an SSL Server Profile and Client Authentication. Some additional details:&nbsp;
https://support.f5.com/kb/en-us/solutions/public/3000/000/sol3062.html?sr=36697813&nbsp;
Be careful of using source address as backup. If connections come through a proxy or the timeout is longer for the source IP, it will overtake the SSL ID Persistence.&nbsp;
Kevin&nbsp;

what_lies_bene1 · Answer

Thanks Kevin. I finally found my notes from the other Kevin, as follows: "on some older platforms, the SSL session ID isn’t stored globally; it’s stored within the TMM handling that connection. Therefore a CMP system may create multiple different persistence records for connections within a single session. Disabling CMP on the Virtual Server overcomes this issue but this is not ideal." - I'd assume this isn't really an issue anymore with the various TMOS and platform upgrades since then.

kevin_k_51432 · Answer

Welcome. Oh, forgot about that (it's been a while). That's the "SSL Session Cache" and was an issue prior to 10.1.0:&nbsp;
http://support.f5.com/kb/en-us/solutions/public/10000/600/sol10610.html&nbsp;
Kevin&nbsp;

what_lies_bene1 · Answer

Cheers, always like more detail.

Forum Discussion

SSL persistence method even though the SSL session is being terminated

5 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

source address persistence maximum session timeout

ASP Session ID Persistence

Weblogic JSessionID Persistence for Session Replication

FTPS_SSL_ Termination

Decoding the IPv4 address from the persistence cookie