ACE Best Sticky Method for SSL Traffic

will · ‎05-05-2009

Hi, With ACE 4710 running serverfarms primarily running SSL traffic, what is the best method for configuring stickiness. Here are some parameters:

1) low volume sites, 2 real servers

2) ACE _will not_ do SSL offloading

3) Balancing HTTPS requests

4) Many versions of HTTP clients

5) Currently running ACE A1 code

I am thinking of:

1) TCP Header | HostID inspection

2) SSL-session ID (not good if re-key often though)

3) Any suggestions?

many thx,

WR

ciscocsoc · ‎05-05-2009

Hi,

In the circumstances you describe I'd use source-ip as the stickiness factor.

HTH

Cathy

sachinga.hcl · ‎06-01-2009

Hi Will,

You can see a comple configured example for your perusal in this regard for

Configure ACE Module for End to End SSL Termination

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml

And Many more here regarding

Data Center Application Services Configuration Examples:

http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples

Hope these configuration examples will be useful to you.

Sachin Garg

Kristopher Martinez · ‎06-10-2009

If you client traffic is diverse, source IP persistence works great. If not, you have a couple options:

1. Since you have a 4710, you should offload the SSL on the device and do some sort of header persistence. I would recommend having the 4710 do cookie insert.

2. If you do not offload the SSL, your only other option besides SRC-IP is SSL-ID. You've already stated the drawback on using that.

I'd also recommend looking at newer versions of ACE code for that device.

http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml

Regards

Kris