Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
0
Helpful
2
Replies

Stickiness Configuration on ACE

fayyaz_s
Level 1
Level 1

‎05-11-2009 05:04 AM

I have a Secure application servers, and want to implement stickiness on ACE 4710, I want to configure the SSL session based stickiness, pls let me know how can I do that, also let me know what other type of stickiness can be used with secure application, ACE is connected in single arm design with source nat configured.

Fayyaz

Labels:
0 Helpful
2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

‎05-11-2009 05:31 AM

See sample config below.

Other options are 1/ terminate SSL on ACE and do cookie sticky 2/ source ip stickyness.

Sample Config for session id stickyness:

-----------------------------------------

3. Create an SSL-v3 sticky group and associate the serverfarm. Good

idea to configure a sticky timeout value. This specifies the period of time

that the ACE keeps the sticky information in the sticky table. Note the ACE

resets the timer each time ACE opens connections matching that entry. Also

configure the Layer 4 sticky parameters for 32 bytes session ID.

sticky layer4-payload ssl-v3

timeout 600

serverfarm HTTPS-FARM

response sticky

layer4-payload offset 43 length 32 begin-pattern "\x20"

When a new session is established between client and server, the server

generates a session id. The session id is an arbitrary sequence of bytes.

The length of the session id is 16 bytes for SSLv2 sessions and between 1

and 32 bytes for SSLv3/TLSv1. The session id is not security critical but

must be unique for the server. Additionally, the session id is transmitted

in the clear when reusing the session so it must not contain sensitive

information.

4. Create a class-map to match the layer 4 payload.

class-map type generic match-any SSL-v3-32

2 match layer4-payload regex "\x16\x03\x00..\x01.*"

3 match layer4-payload regex "\x16\x03\x01..\x01.*"

5. Create a new generic load balance policy map and assoiciate the

sticky-serverfarm understand the class.

policy-map type loadbalance generic first-match SSL-v3-Sticky

class SSL-v3-32

sticky-serverfarm ssl-v3

6. Change to the client-vips policy map to represent the new

SSL-v3-Sticky policy you just created

policy-map multi-match client-vips

class VIP-HTTPS

loadbalance vip inservice

loadbalance policy SSL-v3-Sticky

loadbalance vip icmp-reply active

0 Helpful

fayyaz_s
Level 1
Level 1
In response to Gilles Dufour

‎06-08-2009 02:11 AM

Dear,

Please let me know how can I add the class-map generic to multi-match policy and also how to use the existing class-map for virtual address.

Regards

Fayyaz

0 Helpful
Customers Also Viewed These Support Documents