Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
8
Helpful
4
Replies

Some Sticky Cookie Advice Please

aoshea
Level 1
Level 1

‎02-01-2007 08:14 AM

Dear NetProf,

I?ve installed a css11501s some time ago, however the web company has just finished designing and testing the new site and hit a problem. The primary use of the css is for SSL proxy and load balancing across 2 servers.

Basically there is an issue with the authentication process on the web site and the load balancing. The authentication is tied to a server, and therefore as the css is doing the job, 50% of the time it works, obviously there are only two servers in this setup.

I am a little confused why it is balancing the traffic, as thought persistence was supposed to maintain a level of stickiness?

I believe that I may need to implement sticky cookies to resolve but just need some advice and info on how to do this. If there is a simpler way please also let me know.

Here is an extract of the config;

CSS11501# sh run

!Generated on 01/02/2007 02:02:16

!Active version: sg0810106

configure

!*************************** GLOBAL ***************************

date european-date

ssl associate rsakey rsakey rsakeyfile1

ssl associate cert SSLCERT SSLcertfile.pem

ftp-record ftpserv 192.168.1.12 admin des-password xxx

ip route 0.0.0.0 0.0.0.0 192.168.1.1 1

!************************** CIRCUIT **************************

circuit VLAN1

ip address 192.168.1.254 255.255.255.0

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list 1

ssl-server 20

ssl-server 20 vip address 192.168.1.253

ssl-server 20 cipher rsa-with-rc4-128-md5 192.168.1.253 8080 weight 5

ssl-server 20 rsakey rsakey

ssl-server 20 rsacert SSLCERT

active

!************************** SERVICE **************************

service server2

ip address 192.168.1.12

active

service server1

ip address 192.168.1.11

active

service ssl_serv1

type ssl-accel

slot 2

keepalive type none

add ssl-proxy-list 1

active

!*************************** OWNER ***************************

owner L5_Owner

content L3_Rule

add service server1

add service server2

vip address 192.168.1.253

balance srcip

active

content L5_Rule

add service server1

add service server2

vip address 192.168.1.253

protocol tcp

port 80

url "/*"

balance aca

active

owner ssl_Owner

content ssl_rule1

vip address 192.168.1.253

protocol tcp

port 443

application ssl

add service ssl_serv1

active

Many thanks in advance for assistance.

I always rate helpful posts.

Regards, Adrian

Labels:
0 Helpful
4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

‎02-05-2007 06:53 AM

Adrian,

indeed you need stickyness as browsers actually use multple TCP connections when going to a server.

sticky cookie seems to be the best in the this case.

I see that your proxy list redirect the traffic to 192.168.1.253 8080.

You do not have a content rule with this port so traffic will hit the default rule L3_Rule.

I would suggest configure a rule like this

content decrypted

add service server1

add service server2

vip address 192.168.1.253

protocol tcp

port 8080

url "/*"

advanced-balance arrowpoint-cookie

active

Gilles.

aoshea
Level 1
Level 1
In response to Gilles Dufour

‎02-05-2007 07:12 AM

Hi Gilles,

Many thanks for helping me out, I've been doing some investigation today as well ;-)

By configuring the above rule that matches specifically the secure traffic (http over port 8080 on server side & ssl 443 for clients connecting over the internet).

Should I also use the advanced-balance arrowpoint-cookie statement under the owner ssl_rule1 / content ssl_rule1 as even though this is encrypted between client and css it is not encrypted (port 8080 between css and server).

Should I still keep the original L3_Rule?

Should I also use this config for the L5_rule as well?

The reason I ask is that not sure where the web companies login fails (have meeting tomorrow) to see if it is before they enter the secure side of the site or not.

Also once I configure this do I need to go about setting up a web page to tell users how to enable cookies in their browsers if not switched on by default? (Think I do but little unsure as this is sometime referred as cookie INSERT ? is it the same).

After reading some of the notes on the earlier version of css code (pre 4.1) should it be best to set the expiration period on the cookies as well, read somewhere the client side would be one year unless set?

Thanks again, much appreciated assistance.

Best regards, Adrian.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to aoshea

‎02-05-2007 11:04 PM

Adrian,

the cookie should only be applied to http rule. Never for SSL.

You can get rid of the L3_rule if it has no use.

You can enble the cookie on the http rule if needed.

You should indeed inform the users that they need to enable cookies when browsing this website.

You can set expiration time if you want but this is not a requirement.

Gilles.

aoshea
Level 1
Level 1
In response to Gilles Dufour

‎02-06-2007 01:45 AM

Hi Gilles,

Thanks again for your assistance, I will add the new rule and test. I will then remove the L3_rule later if no longer matching traffic. If it resolves all my problems I owe you a big thank you. I will mark the post as resolved if positive news.

Thanks again. Best regards, Adrian.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents