Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE SSL Sticky class-map generic vs class default differences.

There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.

Can anyone explain the benefits and differences of using a specific class-map generic such as this:

class-map type generic match-any SSL-v3-32
  2 match layer4-payload regex "\x16\x03\x00..\x01.*"

  3 match layer4-payload regex "\x16\x03\x01..\x01.*"

Versus just matching class default?

So if I have a configuration such as this:

policy-map type loadbalance generic first-match SSL-v3-Sticky
class SSL-v3-32
   sticky-serverfarm ssl-v3

vs

policy-map type loadbalance generic first-match SSL-v3-Sticky
class class-default
   sticky-serverfarm ssl-v3

What's the benefit or drawback?

1 REPLY
Cisco Employee

Re: ACE SSL Sticky class-map generic vs class default difference

The SSL session id is only available in version 3.0.1 and 3.1.1

So you can match this particular version and then attempt to do stickyness.

You are guaranteed to find what you're looking for.

If you match a class-default it means you apply stickyness to any version of ssl packet.

So there is a risk to misinterpret the content of the packet and stick on something else than the session id.

Gilles.

577
Views
0
Helpful
1
Replies