CSS sticky configuration for clients behind a NAT router

Unanswered Question
Oct 26th, 2007

The problem is that CSS is overloading one service/server. 90% of all active client connetions are sent to one single back-end service/server instead of being equally distributed to all three servers.

This is a new CSS11503 (installed 2 months ago).

Our SSL VIP is configured as follows:

content W3CFM-443

vip address x.x.x.14

protocol tcp

port 443

application ssl

advanced-balance ssl

add service server1

add service server2

add service server3


The vast majority of clients are connecting to this VIP from behind a NAT router (a Cisco overload NAT router), therefore the CSS sees all clients with the same source IP address (normally 200 active concurrent users).

Will our "imbalance" issue be solved by issuing the following configuration command?

"ssl-l4-fallback disable"

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Tue, 10/30/2007 - 06:07

indeed, this command could help.

Because with the default, the css would use sticky srcip if it can't find the ssl id.

But if you need stickyness [why configur advanced-balance ssl if you don't], then you'll lose it with this command.

You may have to use a SSL module to decrypt the traffic and use cookie stickyness.


dcayer Wed, 10/31/2007 - 08:40

Thanks Gilles,

What do you mean by "you'll lose stickyness with this command"? ...SSL stickiness will no longer work if I configure the "ssl-l4-fallback disable" command?

The option to use the SSL module with cookie stickyness was my initial configuration, however, performance of HTTPS traffic actually degraded (web page load times were slower) when I tried to use the SSL module to off-load the SSL traffic from the web servers. So we're stuck with using SSL sticky for now.


This Discussion