Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Sticky with cookie

Do you know how to configure 11501 to have sticky with cookie while SSL is used.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Sticky with cookie

No You cannot.

As I said earlier traffic that will pass through CSS will be encrypted. Css wont be able to open header and read cookie.

Your only option is to use IP address based stickiness.

Syed Iftekhar Ahmed

8 REPLIES

Re: Sticky with cookie

Are you offloading SSL on CSS?

If not then CSS cant look into the header and you cannot use cookie as sticky.

Syed Iftekhar Ahmed

New Member

Re: Sticky with cookie

SSL is NOT terminated on 11501, the cert is install on web servers behind CSS. Can use cookie as sticky?

Thanks.

Re: Sticky with cookie

No You cannot.

As I said earlier traffic that will pass through CSS will be encrypted. Css wont be able to open header and read cookie.

Your only option is to use IP address based stickiness.

Syed Iftekhar Ahmed

New Member

Re: Sticky with cookie

If SSL is terminated on the server, either you so stickuness based on SSL ID, or on Source IP, or Source IP/dest. port because you cannot read the cookie within the SSL (encrypted) traffic

Hope this helps

Re: Sticky with cookie

I am not an advocate of SSL ID based stickiness.

It should be kept in mind that using SSL ID (as a sticky method) is not a very reliable method (because of

SSL renegotiation by some clients).

For example some IE versions renegotiate the SSL-id during a session. This forces a new

session-id so sticky is no longer there.

Source IP is more reliable unless larger number of clients are using same Source IP address ( Using a Mega proxy server ).

Following link will give you some idea about ssl-id renegotiation.

http://support.microsoft.com/kb/265369

Syed Iftekhar Ahmed

New Member

Re: Sticky with cookie

Thanks Syed.

Below is my existing configuration:

content SSL

vip address 10.106.13.224

redundant-index 36

advanced-balance ssl

application ssl

add service WEB01

add service WEB02

protocol tcp

port 443

url "/*"

active

Do you recommend to replace the following with "advancedbalance

sticky-srcip"?

advanced-balance ssl

application ssl

port 443

Thanks.

Re: Sticky with cookie

If you are running this config without any complains then you dont need to change it.

SSL ID renegotiation problem is with limited number of browsers. If you are not receiving any complains then you are good.

Syed Iftekhar Ahmed

New Member

Re: Sticky with cookie

The application team complain that there time out counter of 30min does not seems working very well.

Maybe it worth a try to replace the commands.

210
Views
5
Helpful
8
Replies