Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
3
Replies

Monitoring a CSS11503 sticky decision

peucale
Level 1
Level 1

‎01-31-2006 05:39 AM

Hi everybody,

we want to see and log (best would be to syslog) why the CSS takes a loadbalancing decision on stickiness. Is this possible and how should this be configured?

Our current problem is the following. We got a CSS11503 pair in box redundancy. They are loadbalancing https traffic to two SUN iPlanet instances using SSLv3. The rule is the following:

content https

protocol tcp

port 443

application ssl

balance aca

add service service1_https

add service service2_https

vip address 10.1.1.1

advanced-balance ssl

active

what we see is that some client gets forwarded to the second server during a session although it was directed to the first one before. And this leads to an 'authorization required' error in the client application. We can trace this in the iPlanet logs.

When using src-sticky, everything works fine, so this leads to the conclusion that it has to do with SSL loadbalancing.

Of course the application guys now blame the CSS for not working correctly, but I think (as a CSS guy) that the application is doing something wrong. So, I need to trace the sticky decision on the CSS.

Any ideas are welcome.

-Alex

Labels:
0 Helpful
3 Replies 3

jphilope
Level 3
Level 3

‎01-31-2006 09:01 AM

Alex,

The sticky decision is based upon the SSL hash at the time of the SSL Session Setup. As long as your Sticky Table Timeout is not set extremely low (and your's isn't) there should be no reason for the sticky association to change servers, unless, the application is renegotiating the SSL Session frequently (an application issue). This would cause a new hash and therefore, a new sticky condition balanced according the the ACA alogorithm.

I do not know a way to monitor the decision process, however, maybe Gilles can show you a debug routine.

Mit Fruendlich Gruss Aus New England

Jim

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to jphilope

‎01-31-2006 10:07 AM

Alex,

internet explorer is well-known for re-negotiating the ssl id frequently.

If you search the web you should find many article about it.

There is no way to debug the CSS loadbalancing decision.

If you want to convince yourself that this is a client issue, capture a sniffer trace from a client showing the problem [www.ethereal.com to get a free sniffer].

The solution to this problem is to change the sticky method and use sticky source ip.

Gilles.

0 Helpful

dcayer
Level 1
Level 1

‎02-06-2006 06:50 PM

Hi Alex,

(I'm a CSS guy too!)

Have you investigated the actual SSL session ID's being used for that particular client when this error occurs?

We had a problem with very similar symptoms and had to use a Sniffer in order to find the root cause.

Our servers (I think they were IPlanet too, running on Linux) were not handling the SSL session-id "re-use" option properly. They were instead providing a bran new SSL session-id each time the client would send a SSL "re-negotiation handshake" (I'm not sure about terminology here!). In our case, we saw this happenning every 90 seconds, causing the clients to bounce from server to server because the CSS would not find a match in its SSL-sticky table and load-balancing would therefore take effect and cause the client to end up on a different server (similar to what you are reporting).

Unfortunately, in our case (also) we were unable to resolve this server issue and we resorted to src-sticky.

Good luck!

Dan

0 Helpful
Customers Also Viewed These Support Documents