Loadbalancing HTTPS with stickyness

Unanswered Question
Sep 15th, 2010
User Badges:

Hi all,


We 'd like to do HTTPS loadbalancing with stickyness ( cookie stickyness).

Is it possible ? how to configure It.


I've tryed to configure as following but it seems that the client does not receive the cookie.


sticky http-cookie INAMI-OWA-PRD INAMI-OWA-STICKY
  cookie insert browser-expire
  timeout 60
  replicate sticky
  serverfarm ISA-PRD-EXCHANGE-OWA-SF

serverfarm host ISA-PRD-EXCHANGE-OWA-SF
  description Serverfarm used for Exchange OWA (portal.inami.be) in production
  probe ICMP-PROBE-ALL
  probe ISA-PRD-HTTPS-EXCHANGE-OWA-PROBE
  rserver ISA-DMZ-PRD-1
    inservice
  rserver ISA-DMZ-PRD-2
    inservice
  rserver ISA-DMZ-PRD-3
    inservice


class-map match-any ISA-VIP-PRD-EXCHANGE-OWA
  2 match virtual-address xxx.xxx.xxx.xxx tcp eq https

policy-map type loadbalance first-match SLB-PRD-EXCHANGE-OWA
  class class-default
    sticky-serverfarm INAMI-OWA-STICKY

policy-map multi-match ISA-PRD-LOADBALANCING
class ISA-VIP-PRD-EXCHANGE-OWA
    loadbalance vip inservice
    loadbalance policy SLB-PRD-EXCHANGE-OWA
    loadbalance vip icmp-reply
    nat dynamic 117 vlan 117

Could someone help us on implementing the sticky on https traffic?

Thanks a lot.


Frédéric

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
adakopou Wed, 09/15/2010 - 08:29
User Badges:
  • Cisco Employee,

Hello Frédéric,
If you are load-balaning SSL, then you can not perform sticky via a Cookie (insert / learning). The reason for this is that the SSL data is encrypted and the ACE will not be able to insert a Cookie or learn a Cookie with encrypted data. If you are performing SSL termination or End-to-End SSL (termination and initiation) then you would be able to perform sticky via Cookie (insert / learning).  When load-balancing SSL, your sticky options are either sticky via SSL Session ID or via SRC IP.


The one major issue with SSL Session ID sticky is that some older I.E. browsers may re-negotiate SSL Session ID every two minutes which may cause the SSL user to get load-balanced to a different Rserver.  This is also explained in via the following knowledge base article http://support.microsoft.com/kb/265369


Here are a couple of examples covering both SSL Session id sticky as well as SRC IP sticky:


SSL Session ID Example:


parameter-map type generic SSLID_PARAMMAP
  set max-parse-length 70


serverfarm host ISA-PRD-EXCHANGE-OWA-SF
  description Serverfarm used for Exchange OWA (portal.inami.be) in production
  probe ICMP-PROBE-ALL
  probe ISA-PRD-HTTPS-EXCHANGE-OWA-PROBE
  rserver ISA-DMZ-PRD-1
    inservice
  rserver ISA-DMZ-PRD-2
    inservice
  rserver ISA-DMZ-PRD-3
    inservice


sticky layer4-payload SSL-STICKY
  timeout 30
  serverfarm ISA-PRD-EXCHANGE-OWA-SF
  response sticky
  layer4-payload offset 43 length 32 begin-pattern "\x20"


policy-map type generic first-match SLB-PRD-EXCHANGE-OWA
  class class-default
    sticky-serverfarm SSL-STICKY


policy-map multi-match ISA-PRD-LOADBALANCING
  class ISA-VIP-PRD-EXCHANGE-OWA
    loadbalance vip inservice
    loadbalance policy SLB-PRD-EXCHANGE-OWA
    loadbalance vip icmp-reply
    appl-parameter generic advanced-options SSLID-PARAMMAP
    nat dynamic 117 vlan 117



SRC IP Example::


serverfarm host ISA-PRD-EXCHANGE-OWA-SF
  description Serverfarm used for Exchange OWA (portal.inami.be) in production
  probe ICMP-PROBE-ALL
  probe ISA-PRD-HTTPS-EXCHANGE-OWA-PROBE
  rserver ISA-DMZ-PRD-1
    inservice
  rserver ISA-DMZ-PRD-2
    inservice
  rserver ISA-DMZ-PRD-3
    inservice


sticky ip-netmask 255.255.255.255 address source SRCIP-STICKY
  timeout 30
  serverfarm ISA-PRD-EXCHANGE-OWA-SF


policy-map type generic first-match SLB-PRD-EXCHANGE-OWA
  class class-default
    sticky-serverfarm SRCIP-STICKY



policy-map multi-match ISA-PRD-LOADBALANCING
  class ISA-VIP-PRD-EXCHANGE-OWA
    loadbalance vip inservice
    loadbalance policy SLB-PRD-EXCHANGE-OWA
    loadbalance vip icmp-reply
    nat dynamic 117 vlan 117


I hope this information helps.


Thank you,
Antonios

riziv Wed, 09/15/2010 - 10:55
User Badges:

Hi Antonios,


Thanks a lot for your reply that should help me to configure the offloading of the SSL and apply the stickyness.

I come back to you if I have other question related to the SSL termination ( not experienced yet).


Many thanks.

Frederic

Actions

This Discussion