Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

HTTP-Cookie Stickiness is not working on ACE 4710.

Hi ALL,

I have configured a service with a VIP listening on 443, at the minute both servers at the backend are using self signed certificates but eventually SSL will be terminated on ACE.

My requirement is to configure sticky sessions using http-cookie, i have configured it but ACE is not working as expected.

The user logs into the server and while browsing they get kicked to the second server and are prompted to login page again.

is it because the ACE can't extract the cookie from encrypted text or it is something else.

My config is very simple, please find it below.

serverfarm host SSDSD_SF

  probe SSDSD-ServerAvailability-443

  rserver SSDSD-AL2 443

    conn-limit max 4000000 min 4000000

    inservice

  rserver SSDSD-AL3 443

    conn-limit max 4000000 min 4000000

    inservice

sticky http-cookie JSESSIONID SSDSD_Sticky_SF2

  replicate sticky

  serverfarm SSDSD_SF

lass-map match-all SSDSD_443_WEB

  2 match virtual-address 10.xx.xx.xx tcp eq https

policy-map type loadbalance first-match SSDSD_443_WEB-l7slb

  class class-default

    sticky-serverfarm SSDSD_Sticky_SF2

class SSDSD_443_WEB

    loadbalance vip inservice

    loadbalance policy SSDSD_443_WEB-l7slb

    loadbalance vip icmp-reply active

3 REPLIES
Cisco Employee

HTTP-Cookie Stickiness is not working on ACE 4710.

Hi Amjad,

You are correct. ACE has no way to look into HTTP header since it is encrypted. For ACE to do HTTP based stickyness, you should terminate SSL on ACE or as temporary workaround use source based sticky.

Hope this helps!

Regards,

Kanwal

New Member

HTTP-Cookie Stickiness is not working on ACE 4710.

Hello Kanwaljeet,

Thanks once again for your prompt reply, what will happen if i terminate the SSL on ACE and the backend servers are also listening on 443??

Will the ACE be able to decrypt the data and extract the cookie out of it or will it go through the ACE and the real server will deal with it.

Regards,

Amjad Hashim.

Cisco Employee

HTTP-Cookie Stickiness is not working on ACE 4710.

Hi Amjad,

In that case you will need to do END-TO-END SSL and ACE would be able to decrypt traffic and take decision on the basis of information contained in HTTP header. You can have more details regarding End to End ssl in below link.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml

Please let me know if you have any questions.

Regards,

Kanwal

422
Views
0
Helpful
3
Replies