Stickiness Configuration on ACE

Unanswered Question
May 11th, 2009

I have a Secure application servers, and want to implement stickiness on ACE 4710, I want to configure the SSL session based stickiness, pls let me know how can I do that, also let me know what other type of stickiness can be used with secure application, ACE is connected in single arm design with source nat configured.

Fayyaz

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Mon, 05/11/2009 - 05:31

See sample config below.

Other options are 1/ terminate SSL on ACE and do cookie sticky 2/ source ip stickyness.

Sample Config for session id stickyness:

-----------------------------------------

3. Create an SSL-v3 sticky group and associate the serverfarm. Good

idea to configure a sticky timeout value. This specifies the period of time

that the ACE keeps the sticky information in the sticky table. Note the ACE

resets the timer each time ACE opens connections matching that entry. Also

configure the Layer 4 sticky parameters for 32 bytes session ID.

sticky layer4-payload ssl-v3

timeout 600

serverfarm HTTPS-FARM

response sticky

layer4-payload offset 43 length 32 begin-pattern "\x20"

When a new session is established between client and server, the server

generates a session id. The session id is an arbitrary sequence of bytes.

The length of the session id is 16 bytes for SSLv2 sessions and between 1

and 32 bytes for SSLv3/TLSv1. The session id is not security critical but

must be unique for the server. Additionally, the session id is transmitted

in the clear when reusing the session so it must not contain sensitive

information.

4. Create a class-map to match the layer 4 payload.

class-map type generic match-any SSL-v3-32

2 match layer4-payload regex "\x16\x03\x00..\x01.*"

3 match layer4-payload regex "\x16\x03\x01..\x01.*"

5. Create a new generic load balance policy map and assoiciate the

sticky-serverfarm understand the class.

policy-map type loadbalance generic first-match SSL-v3-Sticky

class SSL-v3-32

sticky-serverfarm ssl-v3

6. Change to the client-vips policy map to represent the new

SSL-v3-Sticky policy you just created

policy-map multi-match client-vips

class VIP-HTTPS

loadbalance vip inservice

loadbalance policy SSL-v3-Sticky

loadbalance vip icmp-reply active

fayyaz_s Mon, 06/08/2009 - 02:11

Dear,

Please let me know how can I add the class-map generic to multi-match policy and also how to use the existing class-map for virtual address.

Regards

Fayyaz

Actions

This Discussion