amigan_99
asked on
F5 SSL Sticky Load Balancing Question
Suppose you had a virtual server setup www.foo.com 10.10.200.21 reachable via SSL/443.
It has two resources serverA.foo.com and serverB.foo.com selected by
round robin selection and reached at port 8080.
For a long time this works very well with users going to https://www.foo.com.
Then one day Developer Dan decides to add a cname wow.foo.com which
resolves to www.foo.com and he adds a link on the site with url wow.foo.com.
And then the stickiness seems to stop working.
My question is - if the session was initiated with www.foo.com would clicking
wow.foo.com start a new SSL session that then pooches the stickiness?
I think this is what's going on. Tomorrow I'll run a wireshark to see if that's
the case. But what say ye Load Balancing exerts?
It has two resources serverA.foo.com and serverB.foo.com selected by
round robin selection and reached at port 8080.
For a long time this works very well with users going to https://www.foo.com.
Then one day Developer Dan decides to add a cname wow.foo.com which
resolves to www.foo.com and he adds a link on the site with url wow.foo.com.
And then the stickiness seems to stop working.
My question is - if the session was initiated with www.foo.com would clicking
wow.foo.com start a new SSL session that then pooches the stickiness?
I think this is what's going on. Tomorrow I'll run a wireshark to see if that's
the case. But what say ye Load Balancing exerts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check SSL persistence profile or equivalent stickiness profile.
Note : The SSL persistence type is only valid for systems that are not performing SSL certificate-based authentication of client requests or server responses.
If you are using Client SSL or Server SSL profiles to configure certificate-based authentication, do not configure an SSL persistence profile. Instead, create an iRule to perform SSL session persistence.
Next, you can you try reproducing the issue with a browser plugin like Fiddler2 or HttpWatch to see what the client is sending. You can also use an iRule to log debug messages on the persistence and load balancing decisions.
Can also check for below if using other profile
https://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/oneconnect.html
Note : The SSL persistence type is only valid for systems that are not performing SSL certificate-based authentication of client requests or server responses.
If you are using Client SSL or Server SSL profiles to configure certificate-based authentication, do not configure an SSL persistence profile. Instead, create an iRule to perform SSL session persistence.
Next, you can you try reproducing the issue with a browser plugin like Fiddler2 or HttpWatch to see what the client is sending. You can also use an iRule to log debug messages on the persistence and load balancing decisions.
Can also check for below if using other profile
https://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/oneconnect.html
ASKER