ACE SSL Sticky class-map generic vs class default differences.

Unanswered Question
Mar 25th, 2010
User Badges:

There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.

Can anyone explain the benefits and differences of using a specific class-map generic such as this:

class-map type generic match-any SSL-v3-32
  2 match layer4-payload regex "\x16\x03\x00..\x01.*"

  3 match layer4-payload regex "\x16\x03\x01..\x01.*"

Versus just matching class default?

So if I have a configuration such as this:

policy-map type loadbalance generic first-match SSL-v3-Sticky
class SSL-v3-32
   sticky-serverfarm ssl-v3


policy-map type loadbalance generic first-match SSL-v3-Sticky
class class-default
   sticky-serverfarm ssl-v3

What's the benefit or drawback?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Mon, 03/29/2010 - 04:59
User Badges:
  • Cisco Employee,

The SSL session id is only available in version 3.0.1 and 3.1.1

So you can match this particular version and then attempt to do stickyness.

You are guaranteed to find what you're looking for.

If you match a class-default it means you apply stickyness to any version of ssl packet.

So there is a risk to misinterpret the content of the packet and stick on something else than the session id.



This Discussion