cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
556
Views
5
Helpful
7
Replies

LD dropping Session ID

ljohnson
Level 1
Level 1

I have a Local Director 416 that is configured for balancing between two web servers over https. The problem we are seeing is very sporadic. It appears that the LD is dropping the session ID and not passing it on. We have tried SSL Sticky and Generic and are seeing the same results. It works fine all the time with Netscapes browser, but is very inconsistent with IE 5.0 and above. Any Ideas or questions please post.

Thanks,

Leon Johnson

7 Replies 7

mmellet
Level 3
Level 3

Check your LD version. I’ve never heard of 4.1.6 but there is a 4.2.3 you should try.

It is a Local Direstor 416 running Version 4.2.3. 416 is the model Number. Sorry for any confusion. Also I found the answer off of Microsoft's Site. Here is the Article ID Q251027.

perherna
Level 1
Level 1

This is the way MSIE and IIS servers process SSL traffic these days.

Microsoft Knowledgebase article #Q265369 talks about this in more detail. The idea behind this new(er) behavior is to make a SSL session more secure by more frequent key exchanges. The problem is that when we configure any load-balancing equipment to maintain session persistence based on the SSL session ID, when MSIE or IIS does its routine (every ~2 minutes or so) key exchange, the SSID changes and the sticky is broken.

A workaround is to use a sticky-mask which will perform session persistence based on a subnet mask of the clients source IP. This is a way to get around mega-proxy issues you'll run into with stycky source IP since most mega-proxies will not change their clients' source IPs outside of a 23 or 24 bit mask during their session.

Configuring stickyness is getting trickier as these technologies further mature. The most elegant and scaleable solution I have seen for this issue is to use a Secure Content Accelerator, but stickymask can suit one's needs fine depending on where the majority of your traffic is originating from.

stevehall
Level 1
Level 1

This behavior is expected with IE and IIS. The following are links to Micorsoft's knowledgebase articles describing this behavior...

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q247658

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q251027

The workaround to this is to either use source IP sticky....

advanced-balance sticky-srcip

sticky-mask 255.255.255.0

or to use HTTP redirects to maintain persistence....

http://www.cisco.com/warp/public/117/css_persistence_http.html

The first method is most likely to be quicker and the second method is most certainly going to add a few grey hairs! :) However, both are proven to work and you can use whchever one fits your environment better.

If you happen to click on the link to the HTTP redirect tech tip, feel free to rate the document using the small form on the right side of the screen. We talk all feedback seriously and are constantly updating the content out there to be relevant and as clear as we can.

Hope this helps!

Steve Hall

mowtnman
Level 1
Level 1

you might want to look into the CSS (Content Smart Switch) device. It will provide you most of the LD functions and added features along with reliability that the LD lacks.

Adding a CSS will get you more features, but it will not work around this sticky SSL issue. This issue has to do with the way the MSIE browser and IIS servers handle SSL connections. You will see the same symptoms using a sticky method based on SSL session ID on the CSS. A workaround is to use a 23 bit stickymask which can be done on the LD or CSS.

Again, the only elegant solution here is to get both a Secure Content Accelerator and a CSS.

Cheers,

Perry.

Hi Perry:

I would like to look at implementing the stickymask on a local director, but I don't seems to have the syntax’s correct. I opened a ticket with TAC and they said that stickymask is not supported on the local director. How do you configure it on LD?

Thanks,

John

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: