1

I have a rest webservice clustered behind an F5 using SSL Termination, SSL persistence and the balancing is "least connections". This service sees millions of messages per day. The vast majority of our clients post maybe a few messages per minute. We do, however, have a few that operate in batches and can send as many as 1.5 million messages over a very short period of time. When these clients start a batch, the behavior we see is that the F5 routes all of their messages to one instance. This creates a hotspot and, at times, has caused failures.

I'm not familiar with the clients code but may be able to get access to that to see how they are creating their connections. However, I was wondering if there was something in the F5 configuration that I could have incorrect that could be inadvertently causing this?

Any help would be greatly appreciated.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
RockyMountainHigh
  • 111
  • 2
  • You have SSL persistence on. You are wondering why persistence is happening. Am I missing something? –  Sep 15 '14 at 20:32
  • @yoonix My understanding was that ssl persistence (Combined with ssl term) applied to the session from the client to the F5. Not the F5 to the host. Is this not the case? – RockyMountainHigh Sep 15 '14 at 20:58
  • 2
    Right, it is not the case. You must be confusing keepalives with persistence. The purpose of SSL persistence is to use the SSL session ID to make sure subsequent requests hit the same (back end) server. Read up on [Persisting SSL Connections](https://devcentral.f5.com/articles/persisting-ssl-connections), that might help you understand better. –  Sep 15 '14 at 21:08

1 Answers1

2

The reason this is occurring is because when the client connects, it establishes a connection to a specific back end server and the F5 will send all subsequent requests using that same connection as long as it exists. When dealing with typical client web requests from human users this solves a bunch of problems and is typical behavior. This behavior supersedes persistence behavior and will happen despite SSL persistence. A browser will typically disconnect after a few seconds of idle time, but a script will not. When dealing with the scripts from your clients however, it sounds like this causes a bunch of problems. To fix it, you will need to use an iRule and hook into the HTTP_REQUEST event. You can then force each subsequent request to go to a different server.

James Shewey
  • 182
  • 14