12-12-2005 12:23 PM
Hi
I have a 6509 with a CSM module and an SSL module installed. A section of the config is as follows (IP addresses changes for security):
probe HTTP http
request method get
interval 5
failed 10
!
serverfarm SF7020
nat server
no nat client
predictor leastconns
real 10.1.10.1
inservice
real 10.1.10.2
inservice
real 10.1.10.3
inservice
probe HTTP
!
serverfarm SSLFARM
nat server
no nat client
predictor leastconns
real 10.1.200.10
inservice
!
sticky 100 ssl timeout 120
!
vserver ENC_VS7020
virtual 192.168.1.1 tcp 4420
vlan 10
serverfarm SSLFARM
sticky 120 group 100
replicate csrp connection
persistent rebalance
inservice
!
vserver DEC_VS7020
virtual 10.1.200.20 tcp 7020
vlan 200
serverfarm SF7020
sticky 120
replicate csrp connection
persistent rebalance
inservice
!
My question is, do I need the 'stickiness' on the vserver 'DEC_VS7020' for the decrypted traffic returning from the SSL module? Would/could this be causing a problem? We are experiencing uneven loadbalancing across the real servers.
Thanks Phil.
12-13-2005 01:51 AM
it depends on yout server requirements.
For example, if this is a merchant website where people put items in a shopping basket, the basket most probably only exist on one server, so if the user closes the tcp connection and opens a new one, you want to guarantee that he goes back to the same server to retrieve his basket.
We can't tell you if you need stickyness or not.
only people with the knowledge of the application can answer the question.
Regards,
Gilles.
Thanks for rating this answer.
12-13-2005 03:40 AM
Gilles
Thanks again for the quick response.
We do require the connections to be sticky and that's why I have created a SSL sticky group (100) for the intial encrypted connection. I was just wondering whether the stickiness on the vserver for the decrypted traffic coming back from the SSL module is necessary or even if this could be causing our problems.
Am I right in thinking the first sticky group (100) will guarentee SSL connectivity to the first real server it is connected to? Because there is only one SSL module, I'm unsure if the second 'stickiness' is necessary and if it could be interferring with the first one. Your comments/thoughts would be much appreciated.
Thanks
Phil.
12-13-2005 04:09 AM
Phil,
your sticky group 100 is useless.
It will guarantee that the encrypted traffic is always sent to the same ssl module.
Since you have only one, it is useless.
You need a sticky group for the decrypted traffic because there you have multiple real servers.
If the SSL module send the decrypted traffic to the vserver, you need stickyness if you want to guarantee that the same user always goes to the same real.
Regards,
Gilles.
12-13-2005 04:43 AM
Gilles
I will remove the SSL sticky group when I can (later this week) and I'll let you know the outcome.
Regards
Phil.
12-13-2005 05:45 AM
Phil,
again, the ssl sticky group is useless.
Remving should not have any impact.
It means it will not solve your loadbalancing issue.
When using sticky source ip, it is very common to have uneven loadbalancing because of the mega proxy issue [thousands of users behing a single ip address]
Best solution to solve this is to use cookie stickyness.
Regards,
Gilles.
12-21-2005 01:31 AM
Gilles
Cookie stickyness has been discussed and rejected at a higher level with the customer. The client workstations for the load balanced services will not be connecting via proxy servers in this case.
If, as you suggest, the vserver for the decrypted traffic returning from the SSL module has to be sticky, is there a posibility of the SSL module IP address being regarded as the client (with respect to the vserver) and therefore being 'stuck' to the first real server it is passed to?
With so many choices of where to use the sticky command and the limited documentation, it can get very confusing. How do I ensure the client communicates with the same real server now the connection goes through an extra loop with the SSL module.
Regards
Phil.
12-21-2005 01:46 AM
Phil,
the SSL module will not use its ip address to communicate with the server. It always reuses the client ip.
Therefore, you can simply use sitcky source ip on the clear text content rule.
Gilles.
12-21-2005 02:25 AM
Gilles
Thanks for the quick reply.
That's what I thought but it's nice to have it confirmed - at this stage I'll clutch at any straw.
Regards
Phil.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide