Solved

peristance with f5 for load balancing to https sites.

Posted on 2010-09-08
7
1,468 Views
Last Modified: 2012-05-10
We currently load balance two seperate proxy servers at different locations via our BigIP F5 Load Balancer.  We have a two nodes assigned to a pool, then the pool assigned to a virtual server.  All works just fine however we have some https sites that have problems authenticating.  If I disable one member in the pool, everything works fine.  How can I make a connection remain to one proxy server once it is established?

configuration is as follows:

proxy-pool

Allow SNAT:Yes
Allow NAT:Yes
Action on service down: None
slow ramp time: 0
IP toS to client Pass Through
IP ToS to Server Pass Through
Link QoS to Client Pass Through
Link QoS to Server Pass Through

Virtual Server

Service Port: *
State: Enabled
Type: Standard
Protocol: TCP
Protocol Profile (Cliet): tcp
Protocol Profile (Server): (Use Client Profile)
OneConnect Profile: None
HTTP Profile: None
FTP Profile: None
SSL Profile (Client): None
SSL Profile (Server): None
Stream Profile: None
RTSP Profile: None
SMTP Profile: None
SIP Profile: None
Statistics Profile: None
VLAN Traffic: All VLANS
Rate Class: None
Connection Limit: 0
Address Translation: Enabled
Port translation: disabled
SNAT Pool: Auto Map
Clone Pool (Client): None
Clone Pool (Server): None
Last Hop Pool: None

Default Persistence Profile: dest_addr
Fallback Persistence Profile: source_addr
0
Comment
Question by:Kitsap_Technology
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 33633122
Let me make sure I have this.  One F5, one pool with two members.

Is the F5 at the same location as one of the proxy servers?  Could there be a slight performance issue between the F5 and one of the proxies?

A bit off topic, but is there any reason why you don't just use the F5 as the proxy server?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 33633152
I also noticed you have no SSL profiles.  So I am assuming you are not doing SSL offload either.

So you are just passing based on IP address, no  SSL offload, no caching, and no compression?
0
 

Author Comment

by:Kitsap_Technology
ID: 33639551
The F5 is at the same location as one of the proxy servers.  The other location is connected via a 1Gig Fiber link.  We have not done SSL offloading yet.  We do not use the F5 as the proxy because we hand off the traffic from the F5 to our iPrism proxy servers so we can do content filtering.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 57

Accepted Solution

by:
giltjr earned 250 total points
ID: 33639731
Since you are doing content filtering, is it safe to assume that this outbound web surfing?

It has been my experience that the F5 will reselect a pool member if the prior selected member does not respond "fast enough."

Now by default the persist record only stays around for 180 after the last transaction in a TCP connection.  So you may need to increase this value.  This is on the persist profile definition.
0
 

Author Comment

by:Kitsap_Technology
ID: 33641544
Yes, this is for outbound websurfing.  I have created a persistence profile and increased the timeout to 900.  The user is testing now.  Should hear back soon if the problem persists (no pun intended).
0
 
LVL 57

Expert Comment

by:giltjr
ID: 33643078
O.K, we don't use our for web surfing.  Our is used for front ending J2EE applications.

Hopefully they don't sit there doing nothing for more that 15 minutes and expect to get back where they were.

0
 

Author Closing Comment

by:Kitsap_Technology
ID: 33667965
Seems to have solved the issue!
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Laptop specs recommendation 13 50
USB 3 PCI-E card in a PCI-E 1.0 slot 7 67
How do I enable VPN on server 2008 R2 19 63
external website is 16 41
Great sound, comfort and fit, excellent build quality, versatility, compatibility. These are just some of the many reasons for choosing a headset from Sennheiser.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question