Forum Discussion
David_Remington
Mar 13, 2008Employee
Posted By aknapp on 03/12/2008 1:25 PM
Hi Aaron,
We are curently using no timeout on our persistence profile. We also have OneConnect enabled with a 255.255.255.255 netmask.
F5 support has suggested this as a solution to our issue with sessions being intermingled with users that reside behind a proxy. My team and I are very skeptical that this will solve the issue, but we are doing our due diligence and running this is our test servers.
Andrea,
There is actually a very good reason why you would be seeing this in v9 but not in v4.
Basically, in v9 the cookie is only inserted on the very first request in a keep-alive session. Once it establishes the flow to the server it bypasses the persistence processing for that tcp session. But, most proxy servers use keep-alives to improve performance--sometimes even sending requests from multiple users down the same keep-alive session.
In v4, oneconnect was enabled by default, turning it off was a box-level decision, and the cookie persistence logic was invoked for every http request. In v9 oneconnect is only enabled if you are using a fasthttp virtual server or if you add a oneconnect profile to a standard virtual server with an http profile.
Turning on OneConnect in v9 will cause load-balancing to occur for each http request instead of each tcp connection--which ensures that the persistence mechanisms are invoked.
I have multiple customers who have made this same issue go away by mere application of a oneconnect profile but please feel free to follow up if your situation is unique. I love iRules, but I like built-in features better.
This article by Deb says what I just said, only probably much better:
http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/OneConnect.html