SSL Sticky URL issue

Answered Question
Feb 8th, 2009
User Badges:
  • Silver, 250 points or more

Hi Guys,


I have inherited the config on this loadbalancer to troubleshoot.

OUr customer needs the CSS to create sticky sessions based on the jsessionid= in the URL. This does ot seem ot be working so well for us.


Can you have a look at config below and tell me where it is going wrong?

The Client traces shows encrypted data. I am waiting for a server trace.


Can the CSS make stickies based on URL wih this config?




!*************************** GLOBAL ***************************


ssl associate rsakey key.key key.key

ssl associate cert ceis_cun ceis_cun_gov_uk.pem

ssl associate cert queus queus_gov_uk.pem


ip route 0.0.0.0 0.0.0.0 10.171.6.1 1


!************************* INTERFACE *************************

interface e1

bridge vlan 20

phy 100Mbits-FD


interface e2

bridge vlan 20

phy 100Mbits-FD


interface e3

bridge vlan 20

phy 100Mbits-FD


interface e4

bridge vlan 20

phy 100Mbits-FD


interface e5

bridge vlan 20

phy 100Mbits-FD


interface e6

bridge vlan 20

phy 100Mbits-FD


interface e7

phy 100Mbits-FD


interface e8

bridge vlan 20

phy 100Mbits-FD


!************************** CIRCUIT **************************

circuit VLAN20


ip address 10.171.6.5 255.255.255.192

ip virtual-router 1 priority 110 preempt

ip redundant-vip 1 10.171.6.4

ip redundant-vip 1 10.171.6.10

ip redundant-interface 1 10.171.6.9


!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssl

ssl-server 4

ssl-server 4 vip address 10.171.6.4

ssl-server 4 rsacert ceis_cun

ssl-server 4 rsakey key.key

ssl-server 10

ssl-server 10 vip address 10.171.6.10

ssl-server 10 rsakey key.key

ssl-server 10 rsacert queus

ssl-server 4 cipher rsa-with-rc4-128-md5 10.171.6.14 80

ssl-server 10 cipher rsa-with-rc4-128-md5 10.171.6.14 80

active


!************************** SERVICE **************************

service app-1

ip address 10.171.6.21

port 80

keepalive port 80

keepalive type http

keepalive uri "/uptime.txt"

active


service app-2

ip address 10.171.6.22

port 80

keepalive type http

keepalive uri "/uptime.txt"

active


service app-3

ip address 10.171.6.23

port 80

keepalive type http

keepalive uri "/uptime.txt"

active


service REDIRECT_ceis

keepalive type none

type redirect

no prepend-http

domain "https://queus.uk"

active


service REDIRECT_que

keepalive type none

type redirect

no prepend-http

domain "https://ceis.cun.uk"

active


service ssl-module

type ssl-accel

keepalive type none

slot 2

add ssl-proxy-list ssl

active


!*************************** OWNER ***************************

owner content


content app-http

add service app-1

add service app-2

add service app-3

vip address 10.171.6.14

protocol tcp

port 80

string range 1 to 22

advanced-balance url

string prefix "jsessionid="

active


content REDIRECT_ceis

vip address 10.171.6.10

add service REDIRECT_ceis

protocol tcp

port 80

url "/*"

active


content REDIRECT_que

port 80

url "/*"

protocol tcp

vip address 10.171.6.4

add service REDIRECT_que

active


content SSL_ceis

port 443

vip address 10.171.6.10

add service ssl-module

active


content SSL_que

port 443

protocol tcp

vip address 10.171.6.4

add service ssl-module

active



Cheers


Stephen


Correct Answer by Gilles Dufour about 8 years 5 months ago

Stephen,


this is exactly what I meant.

Once there is a static portion in the cookie, you can assign this static value to the service and tell the CSS to do match the cookie value to the string configured under the service.


This should be described in the documentation.

If you have problem with this, let me know.


I'd like to also repeat the fact that the arrowpoint cookie is a valid solution which does not require any modification of the servers.

ACE will inject a static cookie that is different for each server.


G.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Gilles Dufour Mon, 02/09/2009 - 00:19
User Badges:
  • Cisco Employee,

Stephen,


the CSS does not support dynamic cookie.

We can work with static cookie - you know in advance the cookie value or a portion of the cookie set by the server. Or you let the CSS generate its own cookie value.


The new ACE Appliance C4710 does support dynamic cookie.


Gilles.

stephen.stack Mon, 02/09/2009 - 00:40
User Badges:
  • Silver, 250 points or more

Hi Gilles,


Thanks for the reply. In our case, the text that comes after the jsessionid= is static for the duration of the session. But only for that session.

Is this classified as a dynamic cookie?


Also, is it a case with our config that the CSS cannot read the url header becuase it is encrypted?


Thanks

Stephen

Gilles Dufour Mon, 02/09/2009 - 08:15
User Badges:
  • Cisco Employee,

Stephen,


it is considered dynamic.

If the jsessionid contained the servername (which is normally static) we could stick using that info.


Try arrowpoint-cookie instead.

If the client browser supports cookie, another one would not be a problem.


The command you need is 'advanced-balance arrowpoint'


Gilles.

stephen.stack Tue, 02/10/2009 - 13:36
User Badges:
  • Silver, 250 points or more

Hi Gilles,


Thanks for update. this is very helpful.

We have gone back to the developers to have them attempt to pass a specific string per server in the url.

ie

jsessionid=server1568756

jsessionid=server2776867

etc...


I assume this is what you mean? Once a specific string is passed for each server, we can provide sticy on this??


Thanks


Stephen

Correct Answer
Gilles Dufour Wed, 02/11/2009 - 03:09
User Badges:
  • Cisco Employee,

Stephen,


this is exactly what I meant.

Once there is a static portion in the cookie, you can assign this static value to the service and tell the CSS to do match the cookie value to the string configured under the service.


This should be described in the documentation.

If you have problem with this, let me know.


I'd like to also repeat the fact that the arrowpoint cookie is a valid solution which does not require any modification of the servers.

ACE will inject a static cookie that is different for each server.


G.

stephen.stack Wed, 02/11/2009 - 03:12
User Badges:
  • Silver, 250 points or more

Thanks for you help again gilles.


I agree about arrowpoint, but the application developers do not want to use it.


We will attempt to put static entries in the URL/Cookie.



Thanks for you help agian.


Stephen

stephen.stack Mon, 02/16/2009 - 10:35
User Badges:
  • Silver, 250 points or more

Hi Gilles,


I have applies a new config as the app developer has applied a static portion to the cookie.


The URL is https://url.domain.local/whoShould;jsessionid=1940875311106FF91885.app2



A potion of our new config is


service 2011-dun-app-1

ip address 10.171.6.21

port 80

keepalive uri "/uptime.txt"

keepalive type http

string app1

active


service 2011-dun-app-2

ip address 10.171.6.22

port 80

keepalive uri "/uptime.txt"

keepalive type http

string app2

active


service 2011-dun-app-3

ip address 10.171.6.23

port 80

keepalive uri "/uptime.txt"

keepalive type http

string app3

active



!*************************** OWNER ***************************

owner 2011


content 2011-dun-app-http

add service 2011-dun-app-1

add service 2011-dun-app-2

add service 2011-dun-app-3

vip address 10.171.6.14

string match first-string-found

advanced-balance url

string range 1 to 200

string process-length 4

string skip-length 21

port 80

protocol tcp

string prefix "jsessionid="

active



But stickyness is still not working. :(


Has the fact that https is on this box anything to do with my issue.


Thanks again


Stephen

jason.espino Wed, 02/18/2009 - 17:39
User Badges:
  • Bronze, 100 points or more

Hello Stephen,


Have you tried changing the advanced-balance method on the content rule to cookies or cookieurl? Also, apply the following within the content rule "url /*". Since you are attempting to use L5 persistance this command will force the CSS to see this content rule as a layer 5 rule.


Hope the info helps!


Gilles Dufour Thu, 02/19/2009 - 01:39
User Badges:
  • Cisco Employee,

Actions

This Discussion