I have a Local Director 416 that is configured for balancing between two web servers over https. The problem we are seeing is very sporadic. It appears that the LD is dropping the session ID and not passing it on. We have tried SSL Sticky and Generic and are seeing the same results. It works fine all the time with Netscapes browser, but is very inconsistent with IE 5.0 and above. Any Ideas or questions please post.
This is the way MSIE and IIS servers process SSL traffic these days.
Microsoft Knowledgebase article #Q265369 talks about this in more detail. The idea behind this new(er) behavior is to make a SSL session more secure by more frequent key exchanges. The problem is that when we configure any load-balancing equipment to maintain session persistence based on the SSL session ID, when MSIE or IIS does its routine (every ~2 minutes or so) key exchange, the SSID changes and the sticky is broken.
A workaround is to use a sticky-mask which will perform session persistence based on a subnet mask of the clients source IP. This is a way to get around mega-proxy issues you'll run into with stycky source IP since most mega-proxies will not change their clients' source IPs outside of a 23 or 24 bit mask during their session.
Configuring stickyness is getting trickier as these technologies further mature. The most elegant and scaleable solution I have seen for this issue is to use a Secure Content Accelerator, but stickymask can suit one's needs fine depending on where the majority of your traffic is originating from.
The first method is most likely to be quicker and the second method is most certainly going to add a few grey hairs! :) However, both are proven to work and you can use whchever one fits your environment better.
If you happen to click on the link to the HTTP redirect tech tip, feel free to rate the document using the small form on the right side of the screen. We talk all feedback seriously and are constantly updating the content out there to be relevant and as clear as we can.
Adding a CSS will get you more features, but it will not work around this sticky SSL issue. This issue has to do with the way the MSIE browser and IIS servers handle SSL connections. You will see the same symptoms using a sticky method based on SSL session ID on the CSS. A workaround is to use a 23 bit stickymask which can be done on the LD or CSS.
Again, the only elegant solution here is to get both a Secure Content Accelerator and a CSS.
I would like to look at implementing the stickymask on a local director, but I don't seems to have the syntaxs correct. I opened a ticket with TAC and they said that stickymask is not supported on the local director. How do you configure it on LD?
The unmanaged mode is also known as Network only switching, which is introduced in Brazos release. It adds the flexibility for customer to use only network automation for service appliance.
If a device is configured a...
Usually, we can access ESXi Shell by pressing Alt+F1 from ESXi DCUI (Direct Console User Interface).
But on HyperFlex system, it just shows black window.
This is expected behavior because HyperFlex redirects ESXi Shell output to SoL...
Configuring an Export Policy Using the GUI
This procedure explains how to configure an Export policy using the APIC GUI. Follow these steps to trigger a backup of your data:
On the menu bar, choose Admi...