Re: CSS 11150 drops sessions when service is suspended

s-bargon · ‎09-20-2005

Does anyone have experience with 11150 dropping suspended sessions. We are using Sticky-SSL with nCipher SSL accelerator cards. When session is suspended the CSS holds the flow for about 16 seconds then drops it. Client is then forced to reauthenticate.

version: ap0610405

content WEB

add service WEB1

protocol tcp

port 443

add service WEB2

add service WEB3

add service WEB4

advanced-balance sticky-srcip

sticky-inact-timeout 35

vip address 10.1.1.1.

active

Interestingly enough, using weight 0 does work, holding exisiting sessions and not allowing new sessions where suspend drops exisiting sessions and prevents new sessions

Gilles Dufour · ‎09-20-2005

What do you mean by suspending the session ??

Do you suspend the service ?

The difference with weight set to zero and suspend is that weight 0 still allows new connection to be sent to the service if there is a sticky entry pointing to this server.

Therefore I have the feeling that your browser is using new SSLID and with suspend, the new connection is sent to a new server which requires a new authentication, however with weight 0, the new connection is sent to the same server so no authentication is required.

Everything seems to be normal.

If you have doubts, I would suggest to capture a sniffer trace on the client.

Regards,

Gilles.

Thanks for rating this answer.

s-bargon · ‎09-24-2005

Appreciate the response. When using sticky SSL, weight zero still honors the CSS sticky table and so clients reconnect to the same server even if they close their browser and 10 minutes later make a new connection. Weight 0 is not the appropriate solution.

So the question is if anybody has any experience with nCipher SSL cards or iPlanet sending an Encrpyted Alert to client which Resets the client and ends their sesion when using Suspend command. Suspend is the correct way to prevent any new sessions from connecting to a service even if the IP is in the Sticky Table.

TIA