Inter-rule Stickiness

Unanswered Question
Sep 29th, 2010
User Badges:

Given two rules on a CSS 11503:


  content layer4rule
    vip address 123.45.67.89
    port 80
    protocol tcp
    balance leastconn
    add service server1-plain-text
    add service server2-plain-text
    active


  content layer5rule
    vip address 123.45.67.89
    port 443
    protocol tcp
    application ssl
    advanced-balance ssl
    add service server1-ssl
    add service server2-ssl
    active

Is there any way to set a client to be stuck to server1 if he comes in on port 80 or 443?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jsirstin Wed, 09/29/2010 - 13:06
User Badges:
  • Cisco Employee,

Unfortunately there is no way to do this with 2 different content rules. Each content rule has it's

own sticky table. If you are not doing any port redirection on the services you can make a single layer 3 rule to keep a user stuck to the

same server on both port 80 and 443. You would need to use source IP sticky in this case since 443 cannot use a cookie and port 80 cannot use ssl session ID.

another option is to terminate SSL if your CSS has this capability. In this case you have the two rules one for 80 that goes directly to the backend server and a second for ssl that sends the traffic to the SSL module for termination. Once the CSS terminates the traffic it can send the clear text back to the original port 80 vip. You do not need sticky on the SSL rule unless you have more than one SSL module. You could use sticky based on either source IP or cookies. Since both original port 80 traffic and decrypted SSL traffic will be using the same rule it will use the same sticky table.



Hope that helps

Jim


Gilles Dufour Thu, 09/30/2010 - 05:47
User Badges:
  • Cisco Employee,

Might be possible with cookie.

But you will need the ssl module to decrypt the ssl traffic.


If not possible, you should merge the content rule 80 and 443 together (remove the port).

Like this a single rule with sticky source ip would make sure you always stay with the same server whatever the port.


Gilles.

Actions

This Discussion

Related Content