Forum Discussion

pjcampbell_7243's avatar
Feb 07, 2011

Offload a specific outbound ssl request?

Hi all



We have an issue where when our code goes out to check a 3rd party vendor for product inventory via HTTPS directly from the Java/apache webserver, the load spikes.



We could have 100 users hitting the DB on a single web server, no problem. As soon as we have X (a VERY small number) users simultaneously checking 3rd party inventory, the server load spikes.



The problem seems to be linear, that the load gets higher and machine gets slower as the number goes up until it is too slow to accept a new connection and we get timeouts.



I cannot say for sure that this is an SSL issue but I wanted to try to have the programmers change their request to plaintext.



Could I setup a local VIP on the BIGIP with the pool member being the 3rd parties IP and use server SSL to connect?



I believe I have tried to use non-local IPs as pool members before and it does not seem to work (maybe strictly a configuration issue on our end). Is there any reason why and any other suggestions?




10 Replies

  • Which load spikes? Is it LTM or the servers?



    You can set up a local virtual server which points to a non-local pool. You can use a plaintext HTTP virtual server (no client SSL profile) and serverside SSL (server SSL profile). You'll need a route to the remote server(s) and SNAT on the virtual server to ensure the requests are proxied out and the response comes back through LTM.



  • Thank you and sorry, it's the web server load that spikes.



    I thought maybe it was some inefficient SSL classes the programmers are using that causes this. There is no real foundation behind this guess, but I have nothing else to go on and need to try something.



    I have never used a server SSL... do i simply assign the default serverssl profile to the VIP?



    I think the problem why I can't use a non local pool member is due to config on our end. From the units, I cannot reach anything externally. Maybe a routing issue.






    thanks so much for your reply.
  • That seems like a reasonable test to try. You can use the default server SSL profile as long as the remote pool member doesn't require a client cert. If that's the case, then you'd want to create a custom server SSL profile with the client cert configured.



    If remote pool members haven't worked in the past, I'd check routing on LTM first and then firewall(s) between LTM and the internet.



  • how do we determine which interface the outbound 3rd party request will go out of? on the bigip, we have 2 default routes?


  UG 0 0 0 INT-PIX

  UG 0 0 0 eth0




    in the bigip GUI under routes, the default route is going to . considering we can't get out to the internet on , would that be the issue?



    I can hit other IPs on our intranet that are not on the bigip.


  • Active] ~ tracepath


    1: ( 0.688ms pmtu 1500


    1: ( 1.423ms


    2: no reply


    3: no reply


  • Ok I got it so that I can connect to my remote IP from the BIGIP - now why does it not find that pool member (the remote IP) as "active" . my check is TCP_443 - which it responds to....
  • Hi Again


    I have tested this successfully on a LOCAL IP that answers on 443 only with your above suggestions



    So it seems the missing piece of this puzzle is why I can't seem to get the BIGIP to see my remote pool member as "UP" even though I can now successfully connect to it from the CLI on port 443.
  • Hi pjcampbell,



    When you say that the Big-IP can't seem to see your remote pool member as "UP", what do you mean?



    Are you saying that the Pool Member is showing as unavailable? (Red Diamond)



    What health checks to do you have configured on the pool?
  • I cheated and called support



    I had 0 health checks assigned to the pool or pool member, but ICMP on the node (the Ip is not pingable) was getting us.
  • Getting the right answer to your problem is never cheating on here :-)



    Glad you got it all worked out.