CSS11501 using SSL sticky - using L4 fallback?

simon.allen · ‎12-06-2006

Hi,

We have a CSS11501 (no SSL module) which we're using to balance SSL connections to three servers. All three servers are "alive" but only two are getting hits:

content Gateway_Other_SSL

vip address 10.48.3.69

application ssl

advanced-balance ssl

protocol tcp

port 443

add service WARWEB102

add service WARWEB104

add service WARWEB103

active

The incoming client connections go through a firewall and then an ISA cluster before being presented to the CSS with one of two source ip addresses (the ISA server ips).

Having looked at the invidual hash entries in the sticky table I can see that all of the connections to one server came from one ISA server, and all of the rest came from the other one.

The sticky stats show hits on SSL rather than L4 but I'm wondering if the CSS is not seeing the SSL session ID and is using L4 fallback instead.

How can I tell if L4 fallback is being used??

Gilles Dufour · ‎12-06-2006

capture a sniffer trace.

If you can see the SSLID, the CSS also can.

If you can't, then the CSS did a fallback to L4.

Gilles.

simon.allen · ‎12-06-2006

Thanks, we'll set up a trace.

One more question though, would the sticky stats report fallbacks to L4 as L4 sticky entries or ssl sticky entries?

Our sticky stats are as follows:

DfEE-WWK01-CSS1# sh sticky-stats

Sticky Statistics - SFM Slot 1, Subslot 1:

Total number of new sticky entries is 9490

Total number of sticky table hits is 8857

Total number of sticky rejects (no entry) is 0

Total number of sticky collision is 0

Total number of available sticky entries is 122317

Total number of used sticky entries is 8754

Total L3 sticky entries are 0

Total L4 sticky entries are 0

Total SSL sticky entries are 8754

Total WAP sticky entries are 0

Total number of SIPCID sticky entries is 0

Thanks