CSS without SSL Module needing sticky sessions

Unanswered Question
Sep 6th, 2010
User Badges:

Hello All,



If anyone can help with this sticky situation I'd appreciate it.


I have a customer with a CSS11501. He does not have an SSL module installed.


He has 2 blade servers, when he adds a web site, which is accessible over SSL, the CSS load balances client requests causing lost sessions, mostly lost pop-ups, it does not want stick to the same server.



I've configured the following:-

 

service web1

protocol tcp

port 443

keepalive type tcp

ip address 192.168.200.50

string web1

active


service web2

rotocol tcp

port 443

eepalive type tcp

ip address 192.168.200.51

string web2

active


*******************

content SSL_Web

add service web1

add service web2

rotocol tcp

port 443

vip address 1.2.3.4

application ssl

advanced-balance sticky-srcip-dstport

active


*********************

group web_Farm

  add service web1

  add service web2

  vip address 1.2.3.4

  active



I was attempting to get the client to stick to the server but unfortunately, this didn't work, the CSS seems to continue to send requests to both servers and they are getting scripting errors.

Once the customer turns off the second blade, all is ok.


I did try adding the string value to the service and configuring 'advanced-balance arrowpoint-cookie' in the content but the clients were unable to reach any web sites.



Best Regards Tony

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
litrenta Mon, 09/06/2010 - 07:40
User Badges:
  • Cisco Employee,

You should remove application ssl from the content rule. You should only use this if you are trying to do sticky based on ssl id with advanced-balance ssl. IF you are doing sticky via srcip do not use this.

tholmes@cistek-... Mon, 09/06/2010 - 08:58
User Badges:

Hi Litrenta,



Many thanks for the reply, do you think the config might be ok otherwise?


At the moment I can't test it as its live right now.


Regards Tony 

jsirstin Wed, 09/08/2010 - 07:24
User Badges:
  • Cisco Employee,

Tony,


The config looks fine other than the "application SSL" under the content rule, and right now you are probing the servers with a tcp probe on port 80. If you want the probe to be on port 443 you should add the command "keepalive port 443" to both of the services. The CSS will default to port 80 for a tcp probe.


Regards

Jim

Actions

This Discussion