Forum Discussion

Jonathan_c's avatar
Nov 29, 2023

How to force close TLS sessions in a failover scenario

Hi,

We have an application behind Big-IP which doesn't handle failovers well.

The Big-IP keeps all TLS sessions consistent and open during failover but the application doesn't support TLS resume for a session and this causes problems in the app.

I'm looking for a way to close TLS sessions for a specific VS in a failover scenarios.

We're on version 16.1.4.1

Any suggestions?

Thanks

  • Jonathan_c If you're performing SSL termination on the F5 you should be able to do this by going into the SSL profile and disabling session mirroring. You will have an issue if this profile is used across multiple VS and only need to do this on one of them but you can always create a copy of that SSL profile and name it something slightly different so that it will only be for this one VS in question. If you do not have SSL termination you can go into the virtual server and disable connection mirroring. These two are outlined in this article.

    https://my.f5.com/manage/s/article/K08005980

  • the ideal and proper solution is using proper health monitor configurations and server side SSL profile.
    if your app servers can't support tls resume, then you need to disable resume in server side ssl ssl profile.
    f5 health monitor can be configured to read http response body and etc.
    additionally, you can put multiple health monitor into a pool.

  • Paulius I do perform SSL termination for client side and also use SSL for server side.

    But on both SSL profiles we already have the mirroring feature disabled...

    zamroni777 by disabling resume you mean enabling the "Strict Resume" feature in the SSL server side profile?

    Do I also do enable it on the client side profile?

    • zamroni777's avatar
      zamroni777
      Icon for Nacreous rankNacreous

      plus Session Ticket.
      https://my.f5.com/manage/s/article/K14806

      you can keep resume enabled in client side ssl profile as ltm handled it independently to server side ssl.

      you can create test server ssl profile and use it for test pool.
      then do tcpdump to see the impact of the config to the ssl session setup messages.