02-11-2009 06:32 PM
Do you know how to configure 11501 to have sticky with cookie while SSL is used.
Thanks.
Solved! Go to Solution.
02-11-2009 07:44 PM
No You cannot.
As I said earlier traffic that will pass through CSS will be encrypted. Css wont be able to open header and read cookie.
Your only option is to use IP address based stickiness.
Syed Iftekhar Ahmed
02-11-2009 06:55 PM
Are you offloading SSL on CSS?
If not then CSS cant look into the header and you cannot use cookie as sticky.
Syed Iftekhar Ahmed
02-11-2009 07:01 PM
SSL is NOT terminated on 11501, the cert is install on web servers behind CSS. Can use cookie as sticky?
Thanks.
02-11-2009 07:44 PM
No You cannot.
As I said earlier traffic that will pass through CSS will be encrypted. Css wont be able to open header and read cookie.
Your only option is to use IP address based stickiness.
Syed Iftekhar Ahmed
02-12-2009 08:55 AM
If SSL is terminated on the server, either you so stickuness based on SSL ID, or on Source IP, or Source IP/dest. port because you cannot read the cookie within the SSL (encrypted) traffic
Hope this helps
02-12-2009 12:23 PM
I am not an advocate of SSL ID based stickiness.
It should be kept in mind that using SSL ID (as a sticky method) is not a very reliable method (because of
SSL renegotiation by some clients).
For example some IE versions renegotiate the SSL-id during a session. This forces a new
session-id so sticky is no longer there.
Source IP is more reliable unless larger number of clients are using same Source IP address ( Using a Mega proxy server ).
Following link will give you some idea about ssl-id renegotiation.
http://support.microsoft.com/kb/265369
Syed Iftekhar Ahmed
02-13-2009 01:17 AM
Thanks Syed.
Below is my existing configuration:
content SSL
vip address 10.106.13.224
redundant-index 36
advanced-balance ssl
application ssl
add service WEB01
add service WEB02
protocol tcp
port 443
url "/*"
active
Do you recommend to replace the following with "advancedbalance
sticky-srcip"?
advanced-balance ssl
application ssl
port 443
Thanks.
02-13-2009 02:07 AM
If you are running this config without any complains then you dont need to change it.
SSL ID renegotiation problem is with limited number of browsers. If you are not receiving any complains then you are good.
Syed Iftekhar Ahmed
02-14-2009 07:47 AM
The application team complain that there time out counter of 30min does not seems working very well.
Maybe it worth a try to replace the commands.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: