topic Re: size limitation for cookie size of HTTP header/cookie? in Application Networking

size limitation for cookie size of HTTP header/cookie?

robertsmith.netexpert — Thu, 04 Jun 2009 10:45:45 GMT

Hi Everybody,

I am having 4 cisco ACE blades i.e 2 pairs and I have few questions when I am trying to configure stickiness and session persistence I am facing some issues for sticky table entry size

Is there any size limitation for cookie size of HTTP header/cookie?

what if it doesn't support large header/cookie size , is there any way to get the solution for this?

can somebody tell me what thing I am missing in my configuration?

RobertS

Re: size limitation for cookie size of HTTP header/cookie?

sachinga.hcl — Thu, 04 Jun 2009 10:48:12 GMT

Hi Robert,

See by default ACE can parse header of 4K Bytes . This default value can be changed using a http type parameter map.

The maximum an ACE can parse is 64K.

Following is an example to change it to maximum.

parameter-map type http PARAMETER_MAP_1

set header-maxparse-length 65535

then apply this parameter-map to the policy

policy-map multi-match ABC

class ABC

loadbalance vip inservice

loadbalance policy xxx

loadbalance vip icmp-reply

appl-parameter http advanced-options PARAMETER_MAP_1

For any further discussion plese dont hesitate to ask further.

Regards,

Sachin garg

Re: size limitation for cookie size of HTTP header/cookie?

robertsmith.netexpert — Thu, 04 Jun 2009 10:51:16 GMT

Hi Sachin,

Thanks for your fast response!!

If incase the http header exceeds 4k Bytes as you told me what will happen to the persistence? will it go to sticky by IP or not?

Is there any way we can setup session using ASP.NET session ID ?

Any document or link in this regard will be helpful

RobertS

Re: size limitation for cookie size of HTTP header/cookie?

sachinga.hcl — Thu, 04 Jun 2009 10:53:16 GMT

Hi Robert,

If a cookie, HTTP header, or URL

exceeds the default value, the ACE drops the packet and sends a RST

(reset) to the client browser.

This behavior can be changed using "length-exceed continue", however

I dont recommend this.

Its better to increase the Header parse length to the header length expected by your app.

May be this can answer your query.

Thanks for your rating.

Sachin garg

Re: size limitation for cookie size of HTTP header/cookie?

robertsmith.netexpert — Thu, 04 Jun 2009 11:02:32 GMT

Hi Sachin,

I will try these in my lab apart from this I azm having few more question in my mind , will be great to hear some guidelines from you in this regard?

How can I Verify that the load balancer (LB) is configured to load balance jpeg files.

How to review the configuration of the load balancer in this situation; if the load balancer should be configured to balance requests based on the ASP.Net session id of the request or something else.

How will I define the max size of HTTP header is there any configuration document availble to do this ?

And last question how shoud I define the load balancer fallback configuration if the HTTP header size is exceeded to the size you have suggested.

BTW Thanks you all for solving it so fast.

Roberts

Re: size limitation for cookie size of HTTP header/cookie?

sachinga.hcl — Thu, 04 Jun 2009 11:10:05 GMT

Hi Robert,

Kindly find my comments there below to your questions:

I will try these in my lab apart from this I azm having few more question in my mind

How can I Verify that the load balancer (LB) is configured to load balance jpeg files.

My comment:

You can configure this

How to review the configuration of the load balancer in this situation; if the load balancer should be configured to balance requests based on the ASP.Net session id of the request or something else.

My comment:

Use a sniffer like wireshark or ethreal and check the static portion of Jsession-ID (usually its 10 bytes from offset 53). Following is the config for offset53,length10

sticky http-cookie JSESSIONID stitcky1

cookie offset 53 length 10

serverfarm APP1-SF

policy-map type loadbalance first-match APP1-POLICY

class class-default

sticky-serverfarm stitcky1

How will I define the max size of HTTP header is there any configuration document availble to do this ?

My Comment:

As I mentioned earlier, use sniffer like wireshark or ethreal and check the size of the header for regular traffic. If its more than the default ACE value then adjust it using parameter map by using header-maxparse-length set it to

parameter-map type http APP1_PARAM_MAP

set header-maxparse-length

And last question how should I define the load balancer fallback configuration if the HTTP header size is exceeded to the size you have suggested.

My Comment:

By default packet is dropped & RST is sent by ACE for closing the connection. If you want to change this behavior then use "length-exceed continue" to allow such packets through ACE module .

Sachin garg

Re: size limitation for cookie size of HTTP header/cookie?

robertsmith.netexpert — Thu, 04 Jun 2009 11:12:20 GMT

Hi Sachin,

Thanks for your all replies.

As I am going to try all these options in my lab before making these changes to my production servers.

This is enough guidelines for my all queries as for now.

As once I will be reading mor eI will come up p with some more queries.

Thanks for your all fast responses.

RobertS

Re: size limitation for cookie size of HTTP header/cookie?

sachinga.hcl — Thu, 04 Jun 2009 11:15:13 GMT

Hi RobertS

Can you send me your config so that I can see what actually you have configured on your all 4 ace blades.

Sachin garg

Re: size limitation for cookie size of HTTP header/cookie?

robertsmith.netexpert — Thu, 04 Jun 2009 11:17:53 GMT

Hi Sachin,

Kindly Find below my config for your perusal:

Generating configuration....

access-list ICMP-INSPECT line 100 extended permit icmp any any

access-list INSIDE_IN line 10 extended permit ip any any

access-list OUTSIDE_IN line 10 extended permit ip any any

probe tcp tcp-7500

port 7500

interval 5

passdetect interval 5

parameter-map type connection NET-CONN-PARAMS

set tcp buffer-share 65535

tcp-options timestamp allow

no random-sequence-number

parameter-map type ssl SSL-WebEx-COM

cipher RSA_WITH_RC4_128_MD5 priority 6

cipher RSA_WITH_RC4_128_SHA priority 6

cipher RSA_WITH_DES_CBC_SHA priority 4

cipher RSA_WITH_3DES_EDE_CBC_SHA priority 5

cipher RSA_WITH_AES_128_CBC_SHA priority 7

cipher RSA_WITH_AES_256_CBC_SHA priority 7

cipher RSA_EXPORT_WITH_RC4_40_MD5 priority 3

cipher RSA_EXPORT1024_WITH_RC4_56_MD5 priority 3

cipher RSA_EXPORT_WITH_DES40_CBC_SHA priority 3

cipher RSA_EXPORT1024_WITH_DES_CBC_SHA priority 3

cipher RSA_EXPORT1024_WITH_RC4_56_SHA priority 3

rserver host test01

ip address 100.124.75.210

inservice

ssl-proxy service qa_ssl

ssl advanced-options SSL-WebEx-COM

serverfarm host ahz_wallice_testonepool-7500

probe tcp-7500

rserver test01 7500

inservice

sticky http-header F5_CREDENTIAL sticky_wallice_header

timeout 2

serverfarm ahz_wallice_testonepool-7500

class-map match-all ICMP-INSPECT

2 match access-list ICMP-INSPECT

class-map match-all cL4_ahz_wallice_testone-7500

2 match virtual-address 10.224.179.20 tcp eq 7500

class-map match-all cL4_ahz_wallice_testone-80

2 match virtual-address 10.224.179.20 tcp eq www

class-map type management match-any remote-access

2 match protocol telnet any

3 match protocol ssh any

4 match protocol http any

5 match protocol icmp any

6 match protocol snmp any

policy-map type management first-match remote-mgmt

class remote-access

permit

policy-map type loadbalance first-match pL7_ahz_wallice_testone-7500-header

class class-default

sticky-serverfarm sticky_wallice_header

policy-map type loadbalance first-match pL7_ahz_wallice_testone-7600

class class-default

serverfarm ahz_wallice_testonepool-7500

policy-map multi-match ICMP-INSPECT

class ICMP-INSPECT

inspect icmp error

policy-map multi-match NET-CONN-PARAMS

class class-default

connection advanced-options NET-CONN-PARAMS

policy-map multi-match pL4_ahz_wallice_testone

class cL4_ahz_wallice_testone-7500

loadbalance vip inservice

loadbalance policy pL7_ahz_wallice_testone-7500-header

loadbalance vip icmp-reply

nat dynamic 100 vlan 911

class cL4_ahz_wallice_testone-80

loadbalance vip inservice

loadbalance policy pL7_ahz_wallice_testone-7500-header

loadbalance vip icmp-reply

nat dynamic 100 vlan 911

interface vlan 911

description Internal

ip address 10.224.179.209 255.255.255.240

access-group input INSIDE_IN

nat-pool 100 10.224.179.210 10.224.179.210 netmask 255.255.255.255 pat

service-policy input remote-mgmt

service-policy input NET-CONN-PARAMS

service-policy input ICMP-INSPECT

service-policy input pL4_ahz_wallice_testone

no shutdown

interface vlan 912

description External

ip address 10.224.179.206 255.255.255.240

access-group input OUTSIDE_IN

service-policy input remote-mgmt

service-policy input NET-CONN-PARAMS

service-policy input ICMP-INSPECT

service-policy input pL4_ahz_wallice_testone

no shutdown

ip route 0.0.0.0 0.0.0.0 10.224.179.205

ip route 100.124.75.210 255.255.255.0 10.224.179.221

Ace_West/Infra#

RobertS