Forum Discussion

Ka_Lun_Chou's avatar
Ka_Lun_Chou
Icon for Nimbostratus rankNimbostratus
May 05, 2011

How to enable mirror persistence on UIE?

To offload FirePass SSL function to LTM, I have the following irule applied on the virtual server. It is working fine except the UIE persistence record will not be mirror to the standby LTM. Can anyone advise how I can achieve that? LTM version is 9.4.8

 

 

when RULE_INIT {

 

set ssl_handshake 0

 

}

 

when CLIENTSSL_HANDSHAKE {

 

set ssl_handshake 1

 

}

 

when CLIENTSSL_CLIENTCERT {

 

set ssl_handshake 1

 

}

 

when HTTP_REQUEST {

 

if { [HTTP::cookie exists "MRHSession"] } {

 

persist uie [HTTP::cookie "MRHSession"] 2100

 

} else {

 

set sess [findstr [HTTP::uri] "sess=" 5 "&"]

 

if { $sess != "" } {

 

persist uie $sess 2100

 

}

 

}

 

set http_disable 0

 

if { $ssl_handshake == 1 } {

 

HTTP::header replace "BIGIP" "on"

 

HTTP::header replace "BIGIP_SSL_CIPHER" "[SSL::cipher name]"

 

HTTP::header replace "BIGIP_SSL_CIPHER_USEKEYSIZE" "[SSL::cipher bits]"

 

HTTP::header replace "BIGIP_SSL_PROTOCOL" "[SSL::cipher version]"

 

set ssl_handshake 0

 

}

 

if { [HTTP::uri] starts_with "/myvpn" } {

 

set http_disable 1

 

}

 

if { [HTTP::uri] starts_with "/tunnel" } {

 

set http_disable 1

 

}

 

}

 

when HTTP_REQUEST_SEND {

 

if { $http_disable != 0 } {

 

HTTP::disable

 

}

 

}

 

when HTTP_RESPONSE {

 

if { [HTTP::cookie exists "MRHSession"] } {

 

persist add uie [HTTP::cookie "MRHSession"] 2100

 

}

 

}

 

3 Replies

  • Have you created a custom Universal persistence profile with mirroring enabled and added it to the virtual server?

     

     

    Aaron
  • Let me give more information.

     

     

    To make FirePass ssl-offload work. I use both cookie insert persistence (in default persistence profile) and the UIE (in irule)

     

     

    The cookie persistence profile is for BigIP's persistence cookie bigipserverXXX before authentication on FirePass (like during prelogon sequence)

     

     

    The UIE is for Network Access connection persistence after FirePass authentication. Since the VPN connection cannot send cookies to FirePass, this breaks the cookie persistence.

     

     

    Since I already have the cookie persistence profile chosen in default persistence profile, I cannot choose universal persistence profile. Besides, universal persistence profile cannot be chosen in fallback persistence profile.
  • hi all,

     

     

    did you success to write the script for the LDAP issue?

     

    i have the same issue and really don't know what to do.

     

     

    if you succeed it will be nice to have script.

     

     

    Regards,