Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
720
Views
0
Helpful
8
Replies

Using Sticky with SSL

p.bailey
Level 1
Level 1

‎12-12-2005 12:23 PM

Hi

I have a 6509 with a CSM module and an SSL module installed. A section of the config is as follows (IP addresses changes for security):

probe HTTP http

request method get

interval 5

failed 10

!

serverfarm SF7020

nat server

no nat client

predictor leastconns

real 10.1.10.1

inservice

real 10.1.10.2

inservice

real 10.1.10.3

inservice

probe HTTP

!

serverfarm SSLFARM

nat server

no nat client

predictor leastconns

real 10.1.200.10

inservice

!

sticky 100 ssl timeout 120

!

vserver ENC_VS7020

virtual 192.168.1.1 tcp 4420

vlan 10

serverfarm SSLFARM

sticky 120 group 100

replicate csrp connection

persistent rebalance

inservice

!

vserver DEC_VS7020

virtual 10.1.200.20 tcp 7020

vlan 200

serverfarm SF7020

sticky 120

replicate csrp connection

persistent rebalance

inservice

!

My question is, do I need the 'stickiness' on the vserver 'DEC_VS7020' for the decrypted traffic returning from the SSL module? Would/could this be causing a problem? We are experiencing uneven loadbalancing across the real servers.

Thanks Phil.

Labels:
0 Helpful
8 Replies 8

Gilles Dufour
Cisco Employee
Cisco Employee

‎12-13-2005 01:51 AM

it depends on yout server requirements.

For example, if this is a merchant website where people put items in a shopping basket, the basket most probably only exist on one server, so if the user closes the tcp connection and opens a new one, you want to guarantee that he goes back to the same server to retrieve his basket.

We can't tell you if you need stickyness or not.

only people with the knowledge of the application can answer the question.

Regards,

Gilles.

Thanks for rating this answer.

0 Helpful

p.bailey
Level 1
Level 1
In response to Gilles Dufour

‎12-13-2005 03:40 AM

Gilles

Thanks again for the quick response.

We do require the connections to be sticky and that's why I have created a SSL sticky group (100) for the intial encrypted connection. I was just wondering whether the stickiness on the vserver for the decrypted traffic coming back from the SSL module is necessary or even if this could be causing our problems.

Am I right in thinking the first sticky group (100) will guarentee SSL connectivity to the first real server it is connected to? Because there is only one SSL module, I'm unsure if the second 'stickiness' is necessary and if it could be interferring with the first one. Your comments/thoughts would be much appreciated.

Thanks

Phil.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to p.bailey

‎12-13-2005 04:09 AM

Phil,

your sticky group 100 is useless.

It will guarantee that the encrypted traffic is always sent to the same ssl module.

Since you have only one, it is useless.

You need a sticky group for the decrypted traffic because there you have multiple real servers.

If the SSL module send the decrypted traffic to the vserver, you need stickyness if you want to guarantee that the same user always goes to the same real.

Regards,

Gilles.

0 Helpful

p.bailey
Level 1
Level 1
In response to Gilles Dufour

‎12-13-2005 04:43 AM

Gilles

I will remove the SSL sticky group when I can (later this week) and I'll let you know the outcome.

Regards

Phil.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to p.bailey

‎12-13-2005 05:45 AM

Phil,

again, the ssl sticky group is useless.

Remving should not have any impact.

It means it will not solve your loadbalancing issue.

When using sticky source ip, it is very common to have uneven loadbalancing because of the mega proxy issue [thousands of users behing a single ip address]

Best solution to solve this is to use cookie stickyness.

Regards,

Gilles.

0 Helpful

p.bailey
Level 1
Level 1
In response to Gilles Dufour

‎12-21-2005 01:31 AM

Gilles

Cookie stickyness has been discussed and rejected at a higher level with the customer. The client workstations for the load balanced services will not be connecting via proxy servers in this case.

If, as you suggest, the vserver for the decrypted traffic returning from the SSL module has to be sticky, is there a posibility of the SSL module IP address being regarded as the client (with respect to the vserver) and therefore being 'stuck' to the first real server it is passed to?

With so many choices of where to use the sticky command and the limited documentation, it can get very confusing. How do I ensure the client communicates with the same real server now the connection goes through an extra loop with the SSL module.

Regards

Phil.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to p.bailey

‎12-21-2005 01:46 AM

Phil,

the SSL module will not use its ip address to communicate with the server. It always reuses the client ip.

Therefore, you can simply use sitcky source ip on the clear text content rule.

Gilles.

0 Helpful

p.bailey
Level 1
Level 1
In response to Gilles Dufour

‎12-21-2005 02:25 AM

Gilles

Thanks for the quick reply.

That's what I thought but it's nice to have it confirmed - at this stage I'll clutch at any straw.

Regards

Phil.

0 Helpful
Customers Also Viewed These Support Documents