Persistence profile with non-http traffic, zscaler, and SSL Passthrough

Question

My latest roadblock is figuring out how to set up persistence when you can't use just about any of the persistance profiles.&nbsp; F5 LTM is going to be load balancing Microsoft Navision traffic across a server pool.&nbsp; The way Navision is setup is it's doing TCP and TLS communication to the cilent app via 7246.&nbsp; According to what I've learned in an early forum post, the F5 can't have TCP and TLS traffic on the same port, so I can't use SSL bridging, I have to use "Performace (Layer 4)" and just use SSL Passthrough.&nbsp; That's fine, it works.&nbsp; Now the problem is persistance.&nbsp; We use zScaler for our VPN/ZTNA.&nbsp; For all of our remote clients, the F5 essentially sees all the traffic as coming from our zScaler collector.&nbsp; Since the F5 sees all traffic as coming from, for example, 172.20.20.72 all the traffic is "load balanced" to the same server if we try to use source address.&nbsp; Same would be true for destination address.&nbsp; Cookie doesn't work becaue it's not HTTP traffic, MSRDP doesn't work because it's not RDP traffic, host doesn't work because it's not HTTP traffic, and the list goes on.&nbsp; I'm sure we can't be the only company using an F5 with zScaler so I'm sure someone else has the same issue?&nbsp; How did you overcome it?&nbsp; I think my answer may be using Hash or Universal but I don't understand iRules yet.&nbsp; I'm looking at them but it's not so straight forward.&nbsp; I think I should be able to create an iRule that would take the source IP and source port to create the persistence profile, but I lack any understanding of iRules at the moment.

irbk · Answer

I found this in another forum post, perhaps this is the right answer?when CLIENT_ACCEPTED {
 set client_remote "[IP::client_addr]:[TCP::client_port]"
 persist hash ($client_remote) 300
  log local0. "Connection: Client($client_remote)"
}

amine_kadimi · Answer

I think this iRule doesn't guarantee the same client to persist on the same server, but the same combination of source IP and source port, so if source port changed then the client may go to another server.
Have you tested&nbsp;Configuring the BIG-IP system to pass through SSL traffic (f5.com)&nbsp;with&nbsp;Using SSL session ID persistence (f5.com)

irbk · Answer

As per my testing so far, once the client establishes a connection to the server, it seems to stay on the same port.

As for the provided link, I believe I did mention in the original post that I have to use "Performace (Layer 4)" and just use SSL Passthrough.

irbk · Answer

For anyone else that may stumble across this, this is what we ended up usingwhen CLIENT_ACCEPTED {

if {[TCP::client_port] and [IP::client_addr] !=0} {

persist uie "[IP::client_addr]:[TCP::client_port]"

}

Forum Discussion

Persistence profile with non-http traffic, zscaler, and SSL Passthrough

4 Replies

Recent Discussions

GTM Packet Capture command

How to Implement 2 Way SSL in F5 LTM

BWC iRule

Citrix XenServer Big-IP Upgrade help

BIG-IP DNS iRule issue with static variable

Related Content

Passthrough IPSec with AFM

iRule for non http services

Decoding the IPv4 address from the persistence cookie

Setting up persistence in F5 XC

HTTPS passthrough fallback URL