RE: [load balancing] F5 BigIP HA Questions

From: Chuck Adkins (
Date: Tue Jan 06 2004 - 10:27:53 EST

  • Next message: P: "RE: [load balancing] AOL and server persistence"

    About SSL endpoint w/o SSL hardware - if your license allows for proxies
    of type "SSL" instead of just "Akamize" - then you can certainly use it
    to break SSL. I know this to be true for at least the 4.2-code. All
    the hardware buys you is the initial SSL handshake, the bulk-crypto is
    still done on the CPU - which may or may not be important depending on
    you app/traffic/etc.


    -----Original Message-----
    From: Lotter, Rick []
    Sent: Monday, January 05, 2004 10:45 PM
    To: ''
    Subject: RE: [load balancing] F5 BigIP HA Questions

    Hello! My answers are below.

    -----Original Message-----
    From: Michael Ferraro []
    Sent: Monday, January 05, 2004 5:55 PM
    Subject: [load balancing] F5 BigIP HA Questions

    >We're about to buy a pair of F5 BigIPs in the secondary market and I
    >a few questions I was hoping somebody could help us with. Since we're
    >not looking to buy new, we can't really have the F5 sales engineers
    >helping us out too much...
    >If the BigIP doesn't have an SSL accelerator, what functionality do we
    >lose aside from rapid decryption/re-encryption of traffic? Can a BigIP
    >still function as an SSL endpoint without the card? My impression is

    This is my understanding as well.

    >If the BigIP can't be an SSL endpoint w/out an SSL Accelerator card,
    >would it function to load-balance HTTPS traffic? My assumption is that
    >it can read the SSL session ID w/out decrypting the packets, use round
    >robin (or another method) to distribute the connections among pool
    >members, and use that SSL session ID to route future requests for that
    >session to the same pool member. If that's true, what about IE 5.5+'s
    >habit of changing (renegotiating) SSL IDs periodicially? Can BigIP
    >v4.2.6 account for that?

    Not very well, no. SSL ID is renegotiated as you know which will break
    persistence. Even ClientIP or hashing may not work based on megaproxies
    like AOL's.

    >When NAT'ing traffic to pool members, is the source IP address
    >by the BigIP? If not, I'm assuming that I have to have the BigIP's IP
    >be the default router for my pool members. Yuck. If the BigIP is the
    >default router, what about non-HTTPS traffic (e.g., SSH) originating
    >from the pool members -- will it simply forward that traffic, too?

    Nope, SourceIP should be changed, which does mean your default
    gateway/router needs to be the "internal" interface on the F5. If you
    enable the feature on the F5 it will forward all other traffic as well,
    without molesting it. You can configure it as "one-armed", but not
    suggested (you lose a lot of features and capabilities.)

    >Thanks in advance!

    No problem! We happen to have a pair of F5s with SSL accelerators we
    be getting rid of in a couple weeks... interested? :)

    Rick Lotter
    I/S - Web Systems Support


    Sussex, Wisconsin
    The Load Balancing Mailing List
    MRTG with SLB:
    Hosted by:

    The Load Balancing Mailing List
    MRTG with SLB:
    Hosted by:

    This archive was generated by hypermail 2.1.4 : Tue Jan 06 2004 - 10:42:24 EST