Some Sticky Cookie Advice Please

Unanswered Question
Feb 1st, 2007

Dear NetProf,

I?ve installed a css11501s some time ago, however the web company has just finished designing and testing the new site and hit a problem. The primary use of the css is for SSL proxy and load balancing across 2 servers.

Basically there is an issue with the authentication process on the web site and the load balancing. The authentication is tied to a server, and therefore as the css is doing the job, 50% of the time it works, obviously there are only two servers in this setup.

I am a little confused why it is balancing the traffic, as thought persistence was supposed to maintain a level of stickiness?

I believe that I may need to implement sticky cookies to resolve but just need some advice and info on how to do this. If there is a simpler way please also let me know.

Here is an extract of the config;

CSS11501# sh run

!Generated on 01/02/2007 02:02:16

!Active version: sg0810106


!*************************** GLOBAL ***************************

date european-date

ssl associate rsakey rsakey rsakeyfile1

ssl associate cert SSLCERT SSLcertfile.pem

ftp-record ftpserv admin des-password xxx

ip route 1

!************************** CIRCUIT **************************

circuit VLAN1

ip address

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list 1

ssl-server 20

ssl-server 20 vip address

ssl-server 20 cipher rsa-with-rc4-128-md5 8080 weight 5

ssl-server 20 rsakey rsakey

ssl-server 20 rsacert SSLCERT


!************************** SERVICE **************************

service server2

ip address


service server1

ip address


service ssl_serv1

type ssl-accel

slot 2

keepalive type none

add ssl-proxy-list 1


!*************************** OWNER ***************************

owner L5_Owner

content L3_Rule

add service server1

add service server2

vip address

balance srcip


content L5_Rule

add service server1

add service server2

vip address

protocol tcp

port 80

url "/*"

balance aca


owner ssl_Owner

content ssl_rule1

vip address

protocol tcp

port 443

application ssl

add service ssl_serv1


Many thanks in advance for assistance.

I always rate helpful posts.

Regards, Adrian

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Gilles Dufour Mon, 02/05/2007 - 06:53


indeed you need stickyness as browsers actually use multple TCP connections when going to a server.

sticky cookie seems to be the best in the this case.

I see that your proxy list redirect the traffic to 8080.

You do not have a content rule with this port so traffic will hit the default rule L3_Rule.

I would suggest configure a rule like this

content decrypted

add service server1

add service server2

vip address

protocol tcp

port 8080

url "/*"

advanced-balance arrowpoint-cookie



aoshea Mon, 02/05/2007 - 07:12

Hi Gilles,

Many thanks for helping me out, I've been doing some investigation today as well ;-)

By configuring the above rule that matches specifically the secure traffic (http over port 8080 on server side & ssl 443 for clients connecting over the internet).

Should I also use the advanced-balance arrowpoint-cookie statement under the owner ssl_rule1 / content ssl_rule1 as even though this is encrypted between client and css it is not encrypted (port 8080 between css and server).

Should I still keep the original L3_Rule?

Should I also use this config for the L5_rule as well?

The reason I ask is that not sure where the web companies login fails (have meeting tomorrow) to see if it is before they enter the secure side of the site or not.

Also once I configure this do I need to go about setting up a web page to tell users how to enable cookies in their browsers if not switched on by default? (Think I do but little unsure as this is sometime referred as cookie INSERT ? is it the same).

After reading some of the notes on the earlier version of css code (pre 4.1) should it be best to set the expiration period on the cookies as well, read somewhere the client side would be one year unless set?

Thanks again, much appreciated assistance.

Best regards, Adrian.

Gilles Dufour Mon, 02/05/2007 - 23:04


the cookie should only be applied to http rule. Never for SSL.

You can get rid of the L3_rule if it has no use.

You can enble the cookie on the http rule if needed.

You should indeed inform the users that they need to enable cookies when browsing this website.

You can set expiration time if you want but this is not a requirement.


aoshea Tue, 02/06/2007 - 01:45

Hi Gilles,

Thanks again for your assistance, I will add the new rule and test. I will then remove the L3_rule later if no longer matching traffic. If it resolves all my problems I owe you a big thank you. I will mark the post as resolved if positive news.

Thanks again. Best regards, Adrian.


This Discussion