Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE : Stickyness problem with http cookies

Hi,

I am facing a serious problem with stickyness in a e-commerce configuration.

Here is the setup :

  • An ACE load balance user requests on two Apache servers
  • cookie-insert is used to stick a user on one Apache server
  • The home page is accessed via http on port 80
  • On the Home page, there is a link to allowing the user to login
  • The login process uses SSL
  • During the login, backend SSL is required between the ACE and the selected Apache server
  • The login is a POST request to the Apache server
  • After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page

The ACE configuration :

  • Two sticky groups are configured : one for HTTP acess and another for HTTPS access
  • Two server farms are defined, both using the same real servers, but with different ports (80 and 441)

     sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
       cookie insert browser-expire
       timeout 240
       replicate sticky
       serverfarm ECOM_FARM_TEST_HTTP
    

          sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
       cookie insert browser-expire
       timeout 240
       replicate sticky
       serverfarm ECOM_FARM_TEST_HTTPS

     serverfarm host ECOM_FARM_TEST_HTTP
       description *** e-Commerce Test Server Farm ***
       probe ECOM_PROBE_TEST
       rserver HQCHECOM01 80
        inservice
       rserver HQCHECOM02 80
        inservice
    

         serverfarm host ECOM_FARM_TEST_HTTPS
      description *** e-Commerce Test Server Farm ***
      probe ECOM_PROBE_TEST
      rserver HQCHECOM01 443
       inservice
      rserver HQCHECOM02 443
       inservice

The problem :

Let analyse the sequence of events and the value of the http cookie for each of them :

  • When the the home page is originally loaded, the ACE selects SERVER-1
  • The ACE inserts the cookie "A" in the server responses
  • The user is sticked to SERVER-1
  • Then, the user tries to login and an SSL session is established with the ACE
  • The user sends a POST request containing the cookie "A"
  • A backend SSL session is established with SERVER-1
  • The POST request is forwarded to SERVER-1
  • SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
  • The client browser reloads the page on port 80 and provides the cookie "B" (the last received) !!
  • The ACE sees the cookie "B" but does not find it in its database for the sticky group ECOM_STICKY_TEST_HTTP
  • The ACE perform another load balancing decision and selects SERVER-2 ! (instead of SERVER-1)
  • The page is reloaded, but the name of the user does not appear on it

The question :

As it is not possible to have only one sticky group in this configuration what would be the solution to make sure that the same server is selected for http and https ?

Thank you for any hints,

Yves

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACE : Stickyness problem with http cookies

Yves,

What I usually do is add static sticky entry for the other group.

In other words, group 1 has static cookie entry A1 and B1 automatically created.

Group 2 has static cookies A2 and B2 automatically created.

What you can do is add A1,B1 manually to group 2 and A2,B2 to group 1.

To find the cookie value there is a command I personally created :-) "show sticky cookie-insert group "

Gilles.

7 REPLIES
Cisco Employee

Re: ACE : Stickyness problem with http cookies

Yves,

What I usually do is add static sticky entry for the other group.

In other words, group 1 has static cookie entry A1 and B1 automatically created.

Group 2 has static cookies A2 and B2 automatically created.

What you can do is add A1,B1 manually to group 2 and A2,B2 to group 1.

To find the cookie value there is a command I personally created :-) "show sticky cookie-insert group "

Gilles.

New Member

Re: ACE : Stickyness problem with http cookies

Hi Gilles,

It is more than excellent, it works very well !

Thanks a lot for your rapid help and the nice show command ;-)

Yves

New Member

Re: ACE : Stickyness problem with http cookies

Hi Gilles,

Just a short question on the show command you mentionned :

CH01AC03/P-104-A# sh sticky cookie-insert group ECOM_STICKY_TEST_HTTPS


    Cookie   |        HashKey       |           rserver-instance
  -----------+----------------------+----------------------------------------+
  R355972695 | 12534134689947558024 | ECOM_FARM_TEST_HTTPS/HQCHECOM01:443
  R357158616 | 7947867557438681328  | ECOM_FARM_TEST_HTTPS/HQCHECOM02:443

I see the two cookies which are effectively inserted in the http header by the ACE, but I don't see any information on this command output saying that the cookies are static. I also do not see the value I entered in the configuration :

sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
  cookie insert browser-expire
  timeout 240
  replicate sticky
  serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
  24 static cookie-value "APACHE01_SSL_TEST" rserver HQCHECOM01
  32 static cookie-value "APACHE02_SSL_TEST" rserver HQCHECOM02

I also wonder that this command gives the same result :

CH01AC03/P-104-A# sh sticky database static group ECOM_STICKY_TEST_HTTPS


sticky group : ECOM_STICKY_TEST_HTTPS
type         : HTTP-COOKIE
timeout      : 240           timeout-activeconns : FALSE
  sticky-entry          rserver-instance                 time-to-expire flags
  ---------------------+--------------------------------+--------------+-------+
  R355972695             HQCHECOM01:443                      never         -
  R357158616             HQCHECOM02:443                      never         -

My Question :

Where can I see the correspondance bewteen these three elements ?

  1. The hash value of the cookie (i.e R355972695)
  2. The configured cookie value (i.e APACHE01_SSL_TEST)
  3. The real server (i.e HQCHECOM01)

Thank you in advance

Yves

New Member

Re: ACE : Stickyness problem with http cookies

Gilles,

Sorry, forget about my previous append, it was a misunderstanding. I now configured it correctly :

sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
  cookie insert browser-expire
  timeout 240
  replicate sticky
  serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
  56 static cookie-value "R355972695" rserver HQCHECOM01  >-- taken from the HTTPS group
  64 static cookie-value "R357158616" rserver HQCHECOM02  >-- taken from the HTTPS group


sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
  cookie insert browser-expire
  timeout 240
  replicate sticky
  serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
  72 static cookie-value "R105816849" rserver HQCHECOM01
  >-- taken from the HTTP group
  80 static cookie-value "R105852786" rserver HQCHECOM02  >-- taken from the HTTP group

It works as expected now.

Yves

New Member

Re: ACE : Stickyness problem with http cookies

Hi Gilles,

I followed your recommendation to configure static cookie entries in each sticky group, but I still experience the problem of sessions getting re-load balanced to the second server when returning from HTTPS to HTTP :

It seems that the ACE ignores the static entries !


To make my question clear, I repeat hereafter the setup and the encountered problem :

Here is the setup :

  • An ACE load balance user requests on two Apache servers
  • cookie-insert is used to stick a user on one Apache server
  • The home page is accessed via http on port 80
  • On the Home page, there is a link to allowing the user to login
  • The login process uses SSL
  • During the login, backend SSL is required between the ACE and the selected Apache server
  • The login is a POST request to the Apache server
  • After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page

The ACE configuration :

  • Two sticky groups are configured : one for HTTP acess and another for HTTPS access
  • Two server farms are defined, both using the same real servers, but with different ports (80 and 443)
  • In the ECOM_STICKY_TEST_HTTP stick group the two following cookies are automatically generated :
    • R105816849   for the server HQCHECOM01
    • R105852786   for the server HQCHECOM02
  • In the ECOM_STICKY_TEST_HTTPS stick group the two following cookies are automatically generated :
    • R355972695   for the server HQCHECOM01
    • R357158616   for the server HQCHECOM02
  • I statically configured in the each sticky group the cookies used by the other sticky group, to allow stickiness when the browser switches from HTTP to HTTPS and vice versa :

sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
  cookie insert browser-expire
  timeout 240
  replicate sticky
  serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
  56 static cookie-value "R355972695" rserver HQCHECOM01
  64 static cookie-value "R357158616" rserver HQCHECOM02

sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
  cookie insert browser-expire
  timeout 240
  replicate sticky
  serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
  72 static cookie-value "R105816849" rserver HQCHECOM01
  80 static cookie-value "R105852786" rserver HQCHECOM02

serverfarm host ECOM_FARM_TEST_HTTP
  description *** e-Commerce Test Server Farm ***
  probe ECOM_PROBE_TEST
  rserver HQCHECOM01 80
   inservice
  rserver HQCHECOM02 80
   inservice
    

serverfarm host ECOM_FARM_TEST_HTTPS
  description *** e-Commerce Test Server Farm ***
  probe ECOM_PROBE_TEST
  rserver HQCHECOM01 443
   inservice
  rserver HQCHECOM02 443
   inservice

The problem :

Let analyse the sequence of events and the value of the http cookie for each of them :

  • When the the home page is originally loaded, the ACE selects SERVER-1
  • The ACE inserts the cookie "A" in the server responses
  • The user is sticked to SERVER-1
  • Then, the user tries to login and an SSL session is established with the ACE
  • The user sends a POST request containing the cookie "A"
  • A backend SSL session is established with SERVER-1
  • The POST request is forwarded to SERVER-1
  • SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
  • The client browser reloads the page on port 80 and provides the cookie "B" (the last received)
  • The ACE sees the cookie "B" and should use the static cookie entry to select the SERVER-1
  • But instead, the ACE perform another load balancing decision and selects SERVER-2 !
  • The page is reloaded, but the name of the user does not appear on it


LiveHTTP Trace on Firefox :

GET /ecom/medias/sys_master/8800775602206/Home-page-main-banners-video.jpg HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849;

HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105816849; path=/
Date: Mon, 18 Oct 2010 15:31:37 GMT
Server: Apache/2.2.13 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: image/jpeg

Here we switch on HTTPS :


----------------------------------------------------------
https://ecom.test.toto.com/uk/en/j_spring_security_check

POST /uk/en/j_spring_security_check HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
spring-security-redirect=&j_username=yves144%40yahoo.com&j_password=junon01

Here we see cookie for the same server but for the HTTPS sticky group :

HTTP/1.1 302 Moved Temporarily
Set-Cookie: STICKED-TO=R355972695; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:39 GMT
Server: Apache/2.2.13 (Red Hat)
Location: http://ecom.test.toto.com/uk/en/home
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Here we switch back to HTTP :


----------------------------------------------------------
http://ecom.test.toto.com/uk/en/home

GET /uk/en/home HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R355972695; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
                  
Here we see that the second server has been wrongly selected !


HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-GB
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8

----------------------------------------------------------
http://ecom.test.toto.com/ecom/medias/sys_master/8796174057502/uk.gif

GET /ecom/medias/sys_master/8796174057502/uk.gif HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105852786; JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2;

HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Content-Length: 382
Connection: close
Content-Type: image/gif

Hypothesis :

It seems that the static entries are not considered by the ACE...

Cisco Employee

Re: ACE : Stickyness problem with http cookies

As mentioned in your other post, you need to configure the static cookie entry using the exact same rserver as defined in the serverfarm...including the port !!!

Gilles.

New Member

Can you please explain why

Thanks, will attempt this configuration in testing

2324
Views
5
Helpful
7
Replies
CreatePlease login to create content