https://community.cisco.com/t5/application-networking/css-11500-ssl-stickiness/m-p/1562266#M32003 <P>Does anyone know what the "Layer 4 hash value" is mentioned in the documentation under ssl-l4-fallback?</P><P></P><P>Our standard SSL content rules look like:</P><P></P><P><SPAN style="color: #008080; font-family: courier new,courier;">&nbsp; content layer5rule <BR />&nbsp;&nbsp;&nbsp; vip address 123.45.67.89 <BR />&nbsp;&nbsp;&nbsp; port 443 <BR />&nbsp;&nbsp;&nbsp; protocol tcp <BR />&nbsp;&nbsp;&nbsp; application ssl <BR />&nbsp;&nbsp;&nbsp; advanced-balance ssl <BR />&nbsp;&nbsp;&nbsp; add service server1.dmz_ssl <BR />&nbsp;&nbsp;&nbsp; add service server2.dmz_ssl <BR />&nbsp;&nbsp;&nbsp; active <BR /></SPAN></P><P>advanced-balance SSL is supposed to use the SSL3 session ID for stickiness. It seems to me that this shouldn't be very sticky. Our Apache servers have MaxKeepAliveRequests 100. I'd expect a new SSL3 session ID after 100 requests. Round-robin load balancing should kick in and the user could possibly end up on a different server.</P><P></P><P>The comments around the Layer 4 hash value make me suspect that something more complicated is happening though. Why is it that this stickiness works at all?</P> Wed, 29 Sep 2010 19:22:01 GMT ryankogel1 2010-09-29T19:22:01Z https://community.cisco.com/t5/application-networking/css-11500-ssl-stickiness/m-p/1562266#M32003 <P>Does anyone know what the "Layer 4 hash value" is mentioned in the documentation under ssl-l4-fallback?</P><P></P><P>Our standard SSL content rules look like:</P><P></P><P><SPAN style="color: #008080; font-family: courier new,courier;">&nbsp; content layer5rule <BR />&nbsp;&nbsp;&nbsp; vip address 123.45.67.89 <BR />&nbsp;&nbsp;&nbsp; port 443 <BR />&nbsp;&nbsp;&nbsp; protocol tcp <BR />&nbsp;&nbsp;&nbsp; application ssl <BR />&nbsp;&nbsp;&nbsp; advanced-balance ssl <BR />&nbsp;&nbsp;&nbsp; add service server1.dmz_ssl <BR />&nbsp;&nbsp;&nbsp; add service server2.dmz_ssl <BR />&nbsp;&nbsp;&nbsp; active <BR /></SPAN></P><P>advanced-balance SSL is supposed to use the SSL3 session ID for stickiness. It seems to me that this shouldn't be very sticky. Our Apache servers have MaxKeepAliveRequests 100. I'd expect a new SSL3 session ID after 100 requests. Round-robin load balancing should kick in and the user could possibly end up on a different server.</P><P></P><P>The comments around the Layer 4 hash value make me suspect that something more complicated is happening though. Why is it that this stickiness works at all?</P> Wed, 29 Sep 2010 19:22:01 GMT https://community.cisco.com/t5/application-networking/css-11500-ssl-stickiness/m-p/1562266#M32003 ryankogel1 2010-09-29T19:22:01Z https://community.cisco.com/t5/application-networking/css-11500-ssl-stickiness/m-p/1562267#M32004 <HTML><HEAD></HEAD><BODY><P><A class="jive-link-external-small" href="http://httpd.apache.org/docs/1.3/mod/core.html">http://httpd.apache.org/docs/1.3/mod/core.html</A></P><P>The MaxKeepAliveRequests directive limits the number of&nbsp;&nbsp;&nbsp;&nbsp; requests allowed <SPAN style="color: #ff0000;"><STRONG>per connection</STRONG></SPAN></P><P></P><P>this is per connection....so not related to the ssl sessionid which is only sent at the beginning of the connection.</P><P></P><P></P><P><A class="jive-link-external-small" href="http://httpd.apache.org/docs/2.2/mod/mod_ssl.html">http://httpd.apache.org/docs/2.2/mod/mod_ssl.html</A></P><P>Check the SSLSessionCacheTimeout if you want to play with session id timeout.</P><P></P><P>Personnally, I would suggest you don't touch anything.</P><P>This method has been working for many people for a long time.</P><P>If you have a sticky issue, open a TAC case and we can assist you.</P><P></P><P>Also be aware that old SSL version do not have the session id, so you can't stick those clients.</P><P></P><P>Gilles.</P><H2><A id="SSLSessionCacheTimeout" name="SSLSessionCacheTimeout"></A></H2></BODY></HTML> Thu, 30 Sep 2010 12:56:20 GMT https://community.cisco.com/t5/application-networking/css-11500-ssl-stickiness/m-p/1562267#M32004 Gilles Dufour 2010-09-30T12:56:20Z https://community.cisco.com/t5/application-networking/css-11500-ssl-stickiness/m-p/1562268#M32005 <HTML><HEAD></HEAD><BODY><P>generally <SPAN style="color: #008080; font-family: courier new,courier;">advanced-balance ssl is not the best sticky for L4 ssl, since today many server s and clients (IE in particular) will renegotiate session id . ssl l4 fallback comes into play only when ssl is V2 or 3 packets go in either direction in beginning (retransmissions) without session id. here is how it works</SPAN></P><P></P><PRE style="margin: 0em;">This command is to insert&nbsp; L4 hash value to sticky table when CSS sees SSL hello or SynACK re-transmittions more than 3 times,which means CSS will use L4 src-ip sticky from now on, not using SSL session ID for sticky. Default is ssl-l4-fallback enable and behaves as explained above. If you disable, CSS will not fall back to L4 even it sees many re-transmittions. In the real world situation, we way only see this problem that CSS loading more traffic to one server (due to original behavior of L4 fall back) than another if user has some kind of NAT device or mega-proxy in front which will make CSS see limited tuple of src-ips and ports. When that tuple tries many re-transmittions, You will see CSS falling back to L4 from SSL sticky.<BR /><BR />Generally if you are loadbalancing ssl at layer4 you should be using src-ip sticky rather than session id. Again this is problematic in the megaproxy instance<BR />in which case you may wan tto consider terminating ssl on the css (would need an ssl card) and using cookie sticky.</PRE></BODY></HTML> Thu, 30 Sep 2010 13:28:19 GMT https://community.cisco.com/t5/application-networking/css-11500-ssl-stickiness/m-p/1562268#M32005 litrenta 2010-09-30T13:28:19Z