CloudFlare and F5 Load Balancer

Hello All,

We have a url that is balanced between 2 servers in the pool on our F5. Clouflare config is implemented. The Vip in the virtual server on out LB is applied in the Cloudflare console and the Vip URL is pointing to cdn.cloudflare.net. via CNAME. We are continually seeing timeouts with two servers in the pool. If we remove one server or remove Cloudflare completely whether we have one or two servers we see no issues at all. We currently have cookie persistence set on the LB.

A typical fix for this issue is to use an F5 OneConnect Profile with a single host (/32) mask (the mask is really important, see further reading if you’d like to know why). Of course, without knowing too much about about your overall config, I’d suggest to both validate this feature against the version of TMOS (Traffic Management OS - The F5 OS) the you are running and test this with a staging/test VIP first as this would be a change on the way the F5 device behaves.

By using OneConnect, the client is not fixed to a backend server by a TCP connection, rather it will load balance the HTTP requests individually so if in the same TCP session it sees different cookies with different persistence information, it will honour that. This also ensures the cookies are set with each HTTP response.

A similar issue on F5 Dev Central: https://devcentral.f5.com/s/question/0D51T00006i7i5Q/always-send-cookie-problems

And more detail here in these F5 KB’s:

https://support.f5.com/csp/article/K7208
https://support.f5.com/csp/article/K7964

7 Likes

The behaviour here is typically due to the fact that F5’s will set a session cookie (if none exists) at the beginning of a TCP connection but (and this is usually where the issue is) then ignore all cookies passed on subsequent HTTP requests made on the same TCP socket. This tends to break session affinity because Cloudflare will send multiple different HTTP sessions on the same TCP connection.

This is not so much a Cloudflare issue, rather it’s the way Cloudflare uses keep-alives & reuses connections, combined with the way an F5 will set cookies by default. This can be fixed by changing the F5 configuration

5 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.