F5 Big-IP with SSL and TCP keepalives

Question

We have an application which includes a persistent SSL connection from a remote endpoint to a central server.  These connections are long-running and use TCP keepalives to monitor the health of the long running connections.  Because these connections may run over wireless networks with associated data charges, the application can adjust the frequency of keepalives dynamically.&nbsp;
We first set this up using a F5 Big-IP to perform load balancing.  The configuration consisted of a virtual server with a profile that included fastL4, loose initiation, and loose close.  The TCP keepalives were passed along by the F5 and everything worked great.  This solution requires SSL to be handled in our application, which is not ideal.&nbsp;
We started exploring using the F5 to terminate SSL, however the use of the clientssl profile precludes the use of fastL4 and causes the F5 will respond to keepalives rather than passing them through.  In reading the various online documentation, it seems like there is no way to have the F5 pass through a keepalive when terminating SSL.  Before I give up completely, I thought I'd ask the community if there was anything I may have missed that could support this requirement.  Thanks!&nbsp;

what_lies_bene1 · Answer

I don't think there is however I'm not sure this is an issue. If the client gets a response from the F5 (confirming communications over those dodgy and/or public networks to the inside of yours) isn't that good enough? If not why not? The F5's monitoring the server side.&nbsp;
If this is the only VS using the Virtual IP Address in question it's also possible to have the F5 not respond to ARPs which would potentially ensure the keepalives are not responded to depending on your setup.&nbsp;

zdvickery_12307 · Answer

In our case, the keepalives originate with the server (in the data center) since it knows the appropriate rate for the type of endpoint it is talking to.  If the F5 in the same data center responds to the keepalive, it doesn't really tell us anything.  You do have a good point that if the endpoints originated the keepalives the solution might be good enough. 
&nbsp;  
&nbsp; We do have other virtual servers bound to this virtual IP.  Disabling ARP was not something I'd thought of.  Thanks!

what_lies_bene1 · Answer

Sorry, regarding the ARP, what I meant was you can configure the Virtual Address to not respond to ARPs if the Pool Members are all down. In your case this wouldn't be appropriate now you've provided more detail.&nbsp;
&nbsp;
It's unfortunate things are the way around they are it makes things very tricky.&nbsp;

Forum Discussion

F5 Big-IP with SSL and TCP keepalives

3 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

Quick Optimizations for F5 BIG-IP Virtual Edition

Getting Started with BIG-IP Next: Upgrading Central Manager

Deploying F5 BIG-IP with Azure Cross-region load balancer

Service discovery and registration with BIG-IP