Stickiness Configuration on ACE

Unanswered Question
May 11th, 2009
User Badges:

I have a Secure application servers, and want to implement stickiness on ACE 4710, I want to configure the SSL session based stickiness, pls let me know how can I do that, also let me know what other type of stickiness can be used with secure application, ACE is connected in single arm design with source nat configured.


Fayyaz

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Mon, 05/11/2009 - 05:31
User Badges:
  • Cisco Employee,

See sample config below.

Other options are 1/ terminate SSL on ACE and do cookie sticky 2/ source ip stickyness.


Sample Config for session id stickyness:

-----------------------------------------

3. Create an SSL-v3 sticky group and associate the serverfarm. Good

idea to configure a sticky timeout value. This specifies the period of time

that the ACE keeps the sticky information in the sticky table. Note the ACE

resets the timer each time ACE opens connections matching that entry. Also

configure the Layer 4 sticky parameters for 32 bytes session ID.




sticky layer4-payload ssl-v3


timeout 600


serverfarm HTTPS-FARM


response sticky


layer4-payload offset 43 length 32 begin-pattern "\x20"




When a new session is established between client and server, the server

generates a session id. The session id is an arbitrary sequence of bytes.

The length of the session id is 16 bytes for SSLv2 sessions and between 1

and 32 bytes for SSLv3/TLSv1. The session id is not security critical but

must be unique for the server. Additionally, the session id is transmitted

in the clear when reusing the session so it must not contain sensitive

information.


4. Create a class-map to match the layer 4 payload.




class-map type generic match-any SSL-v3-32


2 match layer4-payload regex "\x16\x03\x00..\x01.*"


3 match layer4-payload regex "\x16\x03\x01..\x01.*"




5. Create a new generic load balance policy map and assoiciate the

sticky-serverfarm understand the class.




policy-map type loadbalance generic first-match SSL-v3-Sticky


class SSL-v3-32


sticky-serverfarm ssl-v3




6. Change to the client-vips policy map to represent the new

SSL-v3-Sticky policy you just created




policy-map multi-match client-vips


class VIP-HTTPS


loadbalance vip inservice


loadbalance policy SSL-v3-Sticky


loadbalance vip icmp-reply active



fayyaz_s Mon, 06/08/2009 - 02:11
User Badges:

Dear,

Please let me know how can I add the class-map generic to multi-match policy and also how to use the existing class-map for virtual address.


Regards


Fayyaz

Actions

This Discussion