Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
5
Helpful
8
Replies

Sticky with cookie

Go to solution
josephschung
Level 1
Level 1

‎02-11-2009 06:32 PM

Do you know how to configure 11501 to have sticky with cookie while SSL is used.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Syed Iftekhar Ahmed
Level 8
Level 8
In response to josephschung

‎02-11-2009 07:44 PM

No You cannot.

As I said earlier traffic that will pass through CSS will be encrypted. Css wont be able to open header and read cookie.

Your only option is to use IP address based stickiness.

Syed Iftekhar Ahmed

View solution in original post

8 Replies 8

Go to solution
Syed Iftekhar Ahmed
Level 8
Level 8

‎02-11-2009 06:55 PM

Are you offloading SSL on CSS?

If not then CSS cant look into the header and you cannot use cookie as sticky.

Syed Iftekhar Ahmed

0 Helpful

Go to solution
josephschung
Level 1
Level 1
In response to Syed Iftekhar Ahmed

‎02-11-2009 07:01 PM

SSL is NOT terminated on 11501, the cert is install on web servers behind CSS. Can use cookie as sticky?

Thanks.

0 Helpful

Go to solution
Syed Iftekhar Ahmed
Level 8
Level 8
In response to josephschung

‎02-11-2009 07:44 PM

No You cannot.

As I said earlier traffic that will pass through CSS will be encrypted. Css wont be able to open header and read cookie.

Your only option is to use IP address based stickiness.

Syed Iftekhar Ahmed

Go to solution
jgurfinkiel
Level 1
Level 1

‎02-12-2009 08:55 AM

If SSL is terminated on the server, either you so stickuness based on SSL ID, or on Source IP, or Source IP/dest. port because you cannot read the cookie within the SSL (encrypted) traffic

Hope this helps

0 Helpful

Go to solution
Syed Iftekhar Ahmed
Level 8
Level 8
In response to jgurfinkiel

‎02-12-2009 12:23 PM

I am not an advocate of SSL ID based stickiness.

It should be kept in mind that using SSL ID (as a sticky method) is not a very reliable method (because of

SSL renegotiation by some clients).

For example some IE versions renegotiate the SSL-id during a session. This forces a new

session-id so sticky is no longer there.

Source IP is more reliable unless larger number of clients are using same Source IP address ( Using a Mega proxy server ).

Following link will give you some idea about ssl-id renegotiation.

http://support.microsoft.com/kb/265369

Syed Iftekhar Ahmed

0 Helpful

Go to solution
josephschung
Level 1
Level 1
In response to Syed Iftekhar Ahmed

‎02-13-2009 01:17 AM

Thanks Syed.

Below is my existing configuration:

content SSL

vip address 10.106.13.224

redundant-index 36

advanced-balance ssl

application ssl

add service WEB01

add service WEB02

protocol tcp

port 443

url "/*"

active

Do you recommend to replace the following with "advancedbalance

sticky-srcip"?

advanced-balance ssl

application ssl

port 443

Thanks.

0 Helpful

Go to solution
Syed Iftekhar Ahmed
Level 8
Level 8
In response to josephschung

‎02-13-2009 02:07 AM

If you are running this config without any complains then you dont need to change it.

SSL ID renegotiation problem is with limited number of browsers. If you are not receiving any complains then you are good.

Syed Iftekhar Ahmed

0 Helpful

Go to solution
josephschung
Level 1
Level 1
In response to Syed Iftekhar Ahmed

‎02-14-2009 07:47 AM

The application team complain that there time out counter of 30min does not seems working very well.

Maybe it worth a try to replace the commands.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents