05-11-2009 05:04 AM
I have a Secure application servers, and want to implement stickiness on ACE 4710, I want to configure the SSL session based stickiness, pls let me know how can I do that, also let me know what other type of stickiness can be used with secure application, ACE is connected in single arm design with source nat configured.
Fayyaz
05-11-2009 05:31 AM
See sample config below.
Other options are 1/ terminate SSL on ACE and do cookie sticky 2/ source ip stickyness.
Sample Config for session id stickyness:
-----------------------------------------
3. Create an SSL-v3 sticky group and associate the serverfarm. Good
idea to configure a sticky timeout value. This specifies the period of time
that the ACE keeps the sticky information in the sticky table. Note the ACE
resets the timer each time ACE opens connections matching that entry. Also
configure the Layer 4 sticky parameters for 32 bytes session ID.
sticky layer4-payload ssl-v3
timeout 600
serverfarm HTTPS-FARM
response sticky
layer4-payload offset 43 length 32 begin-pattern "\x20"
When a new session is established between client and server, the server
generates a session id. The session id is an arbitrary sequence of bytes.
The length of the session id is 16 bytes for SSLv2 sessions and between 1
and 32 bytes for SSLv3/TLSv1. The session id is not security critical but
must be unique for the server. Additionally, the session id is transmitted
in the clear when reusing the session so it must not contain sensitive
information.
4. Create a class-map to match the layer 4 payload.
class-map type generic match-any SSL-v3-32
2 match layer4-payload regex "\x16\x03\x00..\x01.*"
3 match layer4-payload regex "\x16\x03\x01..\x01.*"
5. Create a new generic load balance policy map and assoiciate the
sticky-serverfarm understand the class.
policy-map type loadbalance generic first-match SSL-v3-Sticky
class SSL-v3-32
sticky-serverfarm ssl-v3
6. Change to the client-vips policy map to represent the new
SSL-v3-Sticky policy you just created
policy-map multi-match client-vips
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy SSL-v3-Sticky
loadbalance vip icmp-reply active
06-08-2009 02:11 AM
Dear,
Please let me know how can I add the class-map generic to multi-match policy and also how to use the existing class-map for virtual address.
Regards
Fayyaz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide