Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SSL Sticky on Local Director 417

We have a Local Director 417 with 4 servers behind it. We require stateful SSL sessions for our web application that runs on our web servers. Currently we are using Generic SSL, but a vast majority of our clients are sitting behind Server Load Balancing Proxies. Thus, their IP addresses have a tendency to change and cause their session to terminate.

As an alternative, we decided to use the Sticky SSL. However, upon testing we cannot get this to work at all when the client connects through a proxy. From the LD's point of view, I can see an SSL Proxy connection being initiated (show conns), but running traces from the servers shows no communication b/w the LD and the server for that session. Eventually the connection times out. From the client's point of view, I can see a connection to the proxy being established, but eventually a "HTTP 1.0 500 error from proxy" is returned.

One other scenario I tested was to bypass the local proxy. When I do this, the connection is established and the SSL Sticky seems to work fine. However, I cannot expect the clients to "bypass" their proxy in order to gain access to our web apps.

Has anyone else seen this problem?

3 REPLIES
Cisco Employee

Re: SSL Sticky on Local Director 417

the LD will proxy the SSL connection since it needs to see the SSL ID before chosing the real server.

if you don't see a connection coming to the real server, it means the ssl negotiation between the LD and the proxy failed.

Could you capture a trace between these 2 devices ?

Do you have a default route on the LD to route back to the proxy ?

What's your software version ?

Thanks,

Gilles.

New Member

Re: SSL Sticky on Local Director 417

Capturing b/w these 2 devices is the one piece I don't have. It would require the assistance of another group in our environment...not an easy task, but I agree it's something that will need to be done to see exactly what is going on.

I have not setup any sort of route within the LD.

Software version is 4.2.5 (latest version).

Question: Would the Cisco CSS Switch resolve the problem we are currently seeing with session states being dropped when using Generic Sticky?

New Member

Re: SSL Sticky on Local Director 417

You mentioned a default route on the LD.

Well, I did not have one set in the LD and after I set it, the SSL sticky started to work.

Thank you for your assistance, it is much appreciated!

Thanks,

Kham

104
Views
0
Helpful
3
Replies