Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Inter-rule Stickiness

Given two rules on a CSS 11503:

  content layer4rule
    vip address 123.45.67.89
    port 80
    protocol tcp
    balance leastconn
    add service server1-plain-text
    add service server2-plain-text
    active

  content layer5rule
    vip address 123.45.67.89
    port 443
    protocol tcp
    application ssl
    advanced-balance ssl
    add service server1-ssl
    add service server2-ssl
    active

Is there any way to set a client to be stuck to server1 if he comes in on port 80 or 443?

Everyone's tags (2)
2 REPLIES
Cisco Employee

Re: Inter-rule Stickiness

Unfortunately there is no way to do this with 2 different content rules. Each content rule has it's

own sticky table. If you are not doing any port redirection on the services you can make a single layer 3 rule to keep a user stuck to the

same server on both port 80 and 443. You would need to use source IP sticky in this case since 443 cannot use a cookie and port 80 cannot use ssl session ID.

another option is to terminate SSL if your CSS has this capability. In this case you have the two rules one for 80 that goes directly to the backend server and a second for ssl that sends the traffic to the SSL module for termination. Once the CSS terminates the traffic it can send the clear text back to the original port 80 vip. You do not need sticky on the SSL rule unless you have more than one SSL module. You could use sticky based on either source IP or cookies. Since both original port 80 traffic and decrypted SSL traffic will be using the same rule it will use the same sticky table.

Hope that helps

Jim

Cisco Employee

Re: Inter-rule Stickiness

Might be possible with cookie.

But you will need the ssl module to decrypt the ssl traffic.

If not possible, you should merge the content rule 80 and 443 together (remove the port).

Like this a single rule with sticky source ip would make sure you always stay with the same server whatever the port.

Gilles.

301
Views
0
Helpful
2
Replies
CreatePlease login to create content