ACE 4710 and load balancing with sticky cookie

Answered Question
Feb 3rd, 2010

Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers.  I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall.  The ACE is in bridged mode to load balance web servers that reside in the DMZ.  Everything seems to work just fine, but the cookie stickiness does not seem to be working.

Attachment: 
I have this problem too.
0 votes
Correct Answer by Sean Merrow about 5 years 3 months ago

Hi David,

I also just found a bug that could be relevant here.  The issue can happen any time a user changes the serverfarm within a sticky group.  It can cause sticky to stop working.  It was fixed in A2(1.5) on the module and A3(2.3) on the 4710.

If upgrading is a possibility for you, it wouldn't be a bad idea to jump to A3(2.4).

Thanks,

Sean

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Sean Merrow Wed, 02/03/2010 - 12:34

Hi David,

It is hard to say what is causing the cookie sticky to not work, given the data provided.

You might want to load up LiveHTTPHeaders on a Firefox browser and see if the browser is receiving the cookie from the server, and is returning the cookie in the subsequent request to the same host.  Also, you could try cookie-insert by adding the line to your sticky group...

sticky http-cookie CITRIXCOOKIE Sticky_Http_Cookie_Citrix
  cookie insert
  serverfarm SF_CitrixXenApp


Thank you,

Sean

DavidZC12 Wed, 02/03/2010 - 12:54

Using wireshark to capture the packets from my PC, I connect via the VIP address which is https I do not receive a cookie.  If I connect directly to

the rserver via http I do receive a cookie.  The stickiness should be using that cookie that is passed between the ACE and the

rserver if the ACE is terminating SSL, correct? When I put one of the rservers out of service and connect to the VIP I do not see any data in the sh sticky database group Sticky_Http_Cookie_Citrix.  If I enable the cookie insert I see the following info.

sh sticky cookie-insert group Sticky_Http_Cookie_Citrix
     Cookie   |        HashKey       |           rserver-instance  
  ------------+----------------------+----------------------------------------+
  R3911631338 | 14573668120520452617 | SF_CitrixXenApp/RS_CitrixXen_1:80
  R3911667275 | 17565098191941304674 | SF_CitrixXenApp/RS_CitrixXen_2:80

I still do not see any sticky sessions in the database for this sticky group after enabling the cookie insert.

Sean Merrow Wed, 02/03/2010 - 13:10

Hi David,

As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.

When using cookie-insert, the ACE will not create any dynamic cookie entries.  It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value.  So what you see there is what is expected.

You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie.   The cookie is included in the server's response, and the ACE will look for the value as configured.  The cookie will also be sent to the client.  If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses.  If the browser opens new connections with that cookie, then the ACE will stick to the same server.

My suggestion would be to get sticky working with cookie-insert first.  Then if that meets your needs, go with that permanently.  If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.

Sean

DavidZC12 Wed, 02/03/2010 - 15:10

I've configured it use the cookie insert, but it still does not appear to be using it from the ACE logs I see it jumping back and forth between the rservers.

Sean Merrow Thu, 02/04/2010 - 05:56

David,

Ah, the plot thickens.  Perhaps we need to continue to simply the config, get it working, then add back in what is necessary.  If possible, please do the following:

  1. Remove the ssl-proxy from this VIP so it is HTTP (not HTTPS) on the front-end between the client and VIP as well as between the ACE and rservers.
  2. Leave your config with cookie-insert
  3. Start a capture on the client test PC using Wireshark
  4. Run a couple tests from the test PC until the problem happens
  5. Attach your config and the Wireshark capture to this thread.

Also what version of software are you running on your 4710?

Thanks,

Sean

DavidZC12 Thu, 02/04/2010 - 05:59

I'll try that.  I'm running 3.2.2 code

Correct Answer
Sean Merrow Thu, 02/04/2010 - 06:08

Hi David,

I also just found a bug that could be relevant here.  The issue can happen any time a user changes the serverfarm within a sticky group.  It can cause sticky to stop working.  It was fixed in A2(1.5) on the module and A3(2.3) on the 4710.

If upgrading is a possibility for you, it wouldn't be a bad idea to jump to A3(2.4).

Thanks,

Sean

DavidZC12 Thu, 02/04/2010 - 12:27

Guess I'll be scheduling an upgrade of the code and see if that resolves the issue.  I'll let you know.

DavidZC12 Mon, 02/15/2010 - 16:29

That apparently fixed my issue now as I can configure cookie stickiness with cookie insert and

it works.  The dynamic cookie learning does not seem to be working, but that may because the application owner incorrectly advised me that the app uses cookies.  I can figure that part out with a network capture.  Thanks for the help!

Actions

Login or Register to take actions

This Discussion

Posted February 3, 2010 at 10:52 AM
Updated February 3, 2010 at 11:33 AM
Stats:
Replies:9 Overall Rating:5
Views:4178 Votes:0
Shares:0

Related Content