Forum Discussion

Jason_Wilson_13's avatar
Jason_Wilson_13
Icon for Nimbostratus rankNimbostratus
Jan 30, 2014

Using LTM to SSL Offload a APM Server

Hi All,

 

Trying to solve a performance issue with a APM policy in front of a Jira based site. Everything works, but using APM and a Webtop slows down the Jira site quite significantly (2-3 times slower).

 

A suggestion was to use two virtual servers. One to as a basic SSL offload that then passes off to the APM running with a http only interface.

 

I have done the configuration of APM and can access Jira directly through http. Now, when I create another VS listening on 443, with a SSL Client profile, the server does not respond to requests.

 

With a tcpdump I can see the client connection being established, but when the F5 tries to connect to itself there is no traffic. Running a tcpdump I can see the F5 self-ip doing a ARP request for the APM based VS, but getting no response. So the F5 is trying to find a server, but does not know that it needs to talk to itself.

 

Tried to use a loopback address (e.g. 127.0.0.99) but the GUI won't let me. Also played with SNAT options but does not seem to make a difference. Sure it would be possible using two different F5's, but dont have that option.

 

I am sure I read somewhere about a known issue with trying to load balance a VS running on itself, but can't seem to find any reference to it.

 

Any guidance appreciated.

 

Regards, Jason

 

BIG-IP Access Policy Manager (APM)
big-ip ltm
deployment
security
ssl offload

2 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jan 30, 2014

    Just curious here, but can you elaborate on the reasoning to use two virtual servers? APM is a module that runs on top of LTM and is ultimately dependent on an LTM virtual server. Offloading SSL at the LTM VIP that has an access policy applied should not be any slower than an SSL offloading LTM VIP that then load balances to an APM VIP. Can you perhaps also elaborate on your APM configuration?

    To pass traffic from one VIP to another on the same box, you would use the virtual command in an iRule on the external VIP, using the name of the internal VIP as reference:

    when CLIENT_ACCEPTED {
    virtual [name of internal VIP]
}
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jan 31, 2014

    A webtop is a not a requirement for APM configurations. You typically need them for network access and portal resources, but for simple AAA services, they're not used at all. If you want to directly access the Jira-based website, not through an SSL VPN or through a portal rewrite, but still provide some form of pre-authentication and/or single sign-on, then simply create an access policy that includes whatever client side (AAA) auth mechanisms and server side (SSO) mechanisms you need, and no resource assignment (webtop).