Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
882
Views
5
Helpful
9
Replies

SSL Sticky URL issue

Go to solution
stephen.stack
Level 4
Level 4

‎02-08-2009 06:44 AM

Hi Guys,

I have inherited the config on this loadbalancer to troubleshoot.

OUr customer needs the CSS to create sticky sessions based on the jsessionid= in the URL. This does ot seem ot be working so well for us.

Can you have a look at config below and tell me where it is going wrong?

The Client traces shows encrypted data. I am waiting for a server trace.

Can the CSS make stickies based on URL wih this config?

!*************************** GLOBAL ***************************

ssl associate rsakey key.key key.key

ssl associate cert ceis_cun ceis_cun_gov_uk.pem

ssl associate cert queus queus_gov_uk.pem

ip route 0.0.0.0 0.0.0.0 10.171.6.1 1

!************************* INTERFACE *************************

interface e1

bridge vlan 20

phy 100Mbits-FD

interface e2

bridge vlan 20

phy 100Mbits-FD

interface e3

bridge vlan 20

phy 100Mbits-FD

interface e4

bridge vlan 20

phy 100Mbits-FD

interface e5

bridge vlan 20

phy 100Mbits-FD

interface e6

bridge vlan 20

phy 100Mbits-FD

interface e7

phy 100Mbits-FD

interface e8

bridge vlan 20

phy 100Mbits-FD

!************************** CIRCUIT **************************

circuit VLAN20

ip address 10.171.6.5 255.255.255.192

ip virtual-router 1 priority 110 preempt

ip redundant-vip 1 10.171.6.4

ip redundant-vip 1 10.171.6.10

ip redundant-interface 1 10.171.6.9

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssl

ssl-server 4

ssl-server 4 vip address 10.171.6.4

ssl-server 4 rsacert ceis_cun

ssl-server 4 rsakey key.key

ssl-server 10

ssl-server 10 vip address 10.171.6.10

ssl-server 10 rsakey key.key

ssl-server 10 rsacert queus

ssl-server 4 cipher rsa-with-rc4-128-md5 10.171.6.14 80

ssl-server 10 cipher rsa-with-rc4-128-md5 10.171.6.14 80

active

!************************** SERVICE **************************

service app-1

ip address 10.171.6.21

port 80

keepalive port 80

keepalive type http

keepalive uri "/uptime.txt"

active

service app-2

ip address 10.171.6.22

port 80

keepalive type http

keepalive uri "/uptime.txt"

active

service app-3

ip address 10.171.6.23

port 80

keepalive type http

keepalive uri "/uptime.txt"

active

service REDIRECT_ceis

keepalive type none

type redirect

no prepend-http

domain "https://queus.uk"

active

service REDIRECT_que

keepalive type none

type redirect

no prepend-http

domain "https://ceis.cun.uk"

active

service ssl-module

type ssl-accel

keepalive type none

slot 2

add ssl-proxy-list ssl

active

!*************************** OWNER ***************************

owner content

content app-http

add service app-1

add service app-2

add service app-3

vip address 10.171.6.14

protocol tcp

port 80

string range 1 to 22

advanced-balance url

string prefix "jsessionid="

active

content REDIRECT_ceis

vip address 10.171.6.10

add service REDIRECT_ceis

protocol tcp

port 80

url "/*"

active

content REDIRECT_que

port 80

url "/*"

protocol tcp

vip address 10.171.6.4

add service REDIRECT_que

active

content SSL_ceis

port 443

vip address 10.171.6.10

add service ssl-module

active

content SSL_que

port 443

protocol tcp

vip address 10.171.6.4

add service ssl-module

active

Cheers

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to stephen.stack

‎02-11-2009 03:09 AM

Stephen,

this is exactly what I meant.

Once there is a static portion in the cookie, you can assign this static value to the service and tell the CSS to do match the cookie value to the string configured under the service.

This should be described in the documentation.

If you have problem with this, let me know.

I'd like to also repeat the fact that the arrowpoint cookie is a valid solution which does not require any modification of the servers.

ACE will inject a static cookie that is different for each server.

G.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎02-09-2009 12:19 AM

Stephen,

the CSS does not support dynamic cookie.

We can work with static cookie - you know in advance the cookie value or a portion of the cookie set by the server. Or you let the CSS generate its own cookie value.

The new ACE Appliance C4710 does support dynamic cookie.

Gilles.

0 Helpful

Go to solution
stephen.stack
Level 4
Level 4
In response to Gilles Dufour

‎02-09-2009 12:40 AM

Hi Gilles,

Thanks for the reply. In our case, the text that comes after the jsessionid= is static for the duration of the session. But only for that session.

Is this classified as a dynamic cookie?

Also, is it a case with our config that the CSS cannot read the url header becuase it is encrypted?

Thanks

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to stephen.stack

‎02-09-2009 08:15 AM

Stephen,

it is considered dynamic.

If the jsessionid contained the servername (which is normally static) we could stick using that info.

Try arrowpoint-cookie instead.

If the client browser supports cookie, another one would not be a problem.

The command you need is 'advanced-balance arrowpoint'

Gilles.

Go to solution
stephen.stack
Level 4
Level 4
In response to Gilles Dufour

‎02-10-2009 01:36 PM

Hi Gilles,

Thanks for update. this is very helpful.

We have gone back to the developers to have them attempt to pass a specific string per server in the url.

ie

jsessionid=server1568756

jsessionid=server2776867

etc...

I assume this is what you mean? Once a specific string is passed for each server, we can provide sticy on this??

Thanks

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to stephen.stack

‎02-11-2009 03:09 AM

Stephen,

this is exactly what I meant.

Once there is a static portion in the cookie, you can assign this static value to the service and tell the CSS to do match the cookie value to the string configured under the service.

This should be described in the documentation.

If you have problem with this, let me know.

I'd like to also repeat the fact that the arrowpoint cookie is a valid solution which does not require any modification of the servers.

ACE will inject a static cookie that is different for each server.

G.

0 Helpful

Go to solution
stephen.stack
Level 4
Level 4
In response to Gilles Dufour

‎02-11-2009 03:12 AM

Thanks for you help again gilles.

I agree about arrowpoint, but the application developers do not want to use it.

We will attempt to put static entries in the URL/Cookie.

Thanks for you help agian.

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Go to solution
stephen.stack
Level 4
Level 4
In response to stephen.stack

‎02-16-2009 10:35 AM

Hi Gilles,

I have applies a new config as the app developer has applied a static portion to the cookie.

The URL is https://url.domain.local/whoShould;jsessionid=1940875311106FF91885.app2

A potion of our new config is

service 2011-dun-app-1

ip address 10.171.6.21

port 80

keepalive uri "/uptime.txt"

keepalive type http

string app1

active

service 2011-dun-app-2

ip address 10.171.6.22

port 80

keepalive uri "/uptime.txt"

keepalive type http

string app2

active

service 2011-dun-app-3

ip address 10.171.6.23

port 80

keepalive uri "/uptime.txt"

keepalive type http

string app3

active

!*************************** OWNER ***************************

owner 2011

content 2011-dun-app-http

add service 2011-dun-app-1

add service 2011-dun-app-2

add service 2011-dun-app-3

vip address 10.171.6.14

string match first-string-found

advanced-balance url

string range 1 to 200

string process-length 4

string skip-length 21

port 80

protocol tcp

string prefix "jsessionid="

active

But stickyness is still not working. :(

Has the fact that https is on this box anything to do with my issue.

Thanks again

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Go to solution
jason.espino
Level 1
Level 1
In response to stephen.stack

‎02-18-2009 05:39 PM

Hello Stephen,

Have you tried changing the advanced-balance method on the content rule to cookies or cookieurl? Also, apply the following within the content rule "url /*". Since you are attempting to use L5 persistance this command will force the CSS to see this content rule as a layer 5 rule.

Hope the info helps!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents