https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430158#M7797 <HTML><HEAD></HEAD><BODY><P>Gilles</P><P></P><P>I will remove the SSL sticky group when I can (later this week) and I'll let you know the outcome.</P><P></P><P>Regards</P><P></P><P>Phil.</P><P></P></BODY></HTML> Tue, 13 Dec 2005 12:43:58 GMT p.bailey 2005-12-13T12:43:58Z https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430154#M7793 <P>Hi</P><P></P><P>I have a 6509 with a CSM module and an SSL module installed. A section of the config is as follows (IP addresses changes for security):</P><P></P><P> probe HTTP http</P><P> request method get </P><P> interval 5 </P><P> failed 10 </P><P>!</P><P> serverfarm SF7020</P><P> nat server </P><P> no nat client</P><P> predictor leastconns</P><P> real 10.1.10.1</P><P> inservice</P><P> real 10.1.10.2</P><P> inservice</P><P> real 10.1.10.3</P><P> inservice</P><P> probe HTTP</P><P>!</P><P> serverfarm SSLFARM</P><P> nat server </P><P> no nat client</P><P> predictor leastconns</P><P> real 10.1.200.10</P><P> inservice</P><P>!</P><P> sticky 100 ssl timeout 120</P><P>!</P><P> vserver ENC_VS7020</P><P> virtual 192.168.1.1 tcp 4420</P><P> vlan 10</P><P> serverfarm SSLFARM</P><P> sticky 120 group 100</P><P> replicate csrp connection</P><P> persistent rebalance</P><P> inservice</P><P>!</P><P> vserver DEC_VS7020</P><P> virtual 10.1.200.20 tcp 7020</P><P> vlan 200</P><P> serverfarm SF7020</P><P> sticky 120</P><P> replicate csrp connection</P><P> persistent rebalance</P><P> inservice</P><P>!</P><P></P><P>My question is, do I need the 'stickiness' on the vserver 'DEC_VS7020' for the decrypted traffic returning from the SSL module? Would/could this be causing a problem? We are experiencing uneven loadbalancing across the real servers.</P><P></P><P>Thanks Phil.</P> Mon, 12 Dec 2005 20:23:53 GMT https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430154#M7793 p.bailey 2005-12-12T20:23:53Z https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430155#M7794 <HTML><HEAD></HEAD><BODY><P>it depends on yout server requirements.</P><P>For example, if this is a merchant website where people put items in a shopping basket, the basket most probably only exist on one server, so if the user closes the tcp connection and opens a new one, you want to guarantee that he goes back to the same server to retrieve his basket.</P><P></P><P>We can't tell you if you need stickyness or not.</P><P>only people with the knowledge of the application can answer the question.</P><P></P><P>Regards,</P><P></P><P>Gilles.</P><P>Thanks for rating this answer.</P></BODY></HTML> Tue, 13 Dec 2005 09:51:45 GMT https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430155#M7794 Gilles Dufour 2005-12-13T09:51:45Z https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430156#M7795 <HTML><HEAD></HEAD><BODY><P>Gilles</P><P></P><P>Thanks again for the quick response.</P><P></P><P>We do require the connections to be sticky and that's why I have created a SSL sticky group (100) for the intial encrypted connection. I was just wondering whether the stickiness on the vserver for the decrypted traffic coming back from the SSL module is necessary or even if this could be causing our problems.</P><P></P><P>Am I right in thinking the first sticky group (100) will guarentee SSL connectivity to the first real server it is connected to? Because there is only one SSL module, I'm unsure if the second 'stickiness' is necessary and if it could be interferring with the first one. Your comments/thoughts would be much appreciated.</P><P></P><P>Thanks</P><P></P><P>Phil.</P><P></P></BODY></HTML> Tue, 13 Dec 2005 11:40:28 GMT https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430156#M7795 p.bailey 2005-12-13T11:40:28Z https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430157#M7796 <HTML><HEAD></HEAD><BODY><P>Phil,</P><P></P><P>your sticky group 100 is useless.</P><P>It will guarantee that the encrypted traffic is always sent to the same ssl module.</P><P>Since you have only one, it is useless.</P><P></P><P>You need a sticky group for the decrypted traffic because there you have multiple real servers.</P><P>If the SSL module send the decrypted traffic to the vserver, you need stickyness if you want to guarantee that the same user always goes to the same real.</P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Tue, 13 Dec 2005 12:09:19 GMT https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430157#M7796 Gilles Dufour 2005-12-13T12:09:19Z https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430158#M7797 <HTML><HEAD></HEAD><BODY><P>Gilles</P><P></P><P>I will remove the SSL sticky group when I can (later this week) and I'll let you know the outcome.</P><P></P><P>Regards</P><P></P><P>Phil.</P><P></P></BODY></HTML> Tue, 13 Dec 2005 12:43:58 GMT https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430158#M7797 p.bailey 2005-12-13T12:43:58Z https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430159#M7798 <HTML><HEAD></HEAD><BODY><P>Phil,</P><P></P><P>again, the ssl sticky group is useless.</P><P>Remving should not have any impact.</P><P>It means it will not solve your loadbalancing issue.</P><P></P><P>When using sticky source ip, it is very common to have uneven loadbalancing because of the mega proxy issue [thousands of users behing a single ip address]</P><P>Best solution to solve this is to use cookie stickyness.</P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Tue, 13 Dec 2005 13:45:23 GMT https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430159#M7798 Gilles Dufour 2005-12-13T13:45:23Z https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430160#M7799 <HTML><HEAD></HEAD><BODY><P>Gilles</P><P></P><P>Cookie stickyness has been discussed and rejected at a higher level with the customer. The client workstations for the load balanced services will not be connecting via proxy servers in this case.</P><P></P><P>If, as you suggest, the vserver for the decrypted traffic returning from the SSL module has to be sticky, is there a posibility of the SSL module IP address being regarded as the client (with respect to the vserver) and therefore being 'stuck' to the first real server it is passed to?</P><P></P><P>With so many choices of where to use the sticky command and the limited documentation, it can get very confusing. How do I ensure the client communicates with the same real server now the connection goes through an extra loop with the SSL module.</P><P></P><P></P><P>Regards</P><P></P><P>Phil.</P><P></P></BODY></HTML> Wed, 21 Dec 2005 09:31:09 GMT https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430160#M7799 p.bailey 2005-12-21T09:31:09Z https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430161#M7800 <HTML><HEAD></HEAD><BODY><P>Phil,</P><P></P><P>the SSL module will not use its ip address to communicate with the server. It always reuses the client ip.</P><P>Therefore, you can simply use sitcky source ip on the clear text content rule.</P><P></P><P>Gilles.</P></BODY></HTML> Wed, 21 Dec 2005 09:46:05 GMT https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430161#M7800 Gilles Dufour 2005-12-21T09:46:05Z https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430162#M7801 <HTML><HEAD></HEAD><BODY><P>Gilles</P><P></P><P>Thanks for the quick reply.</P><P></P><P>That's what I thought but it's nice to have it confirmed - at this stage I'll clutch at any straw.</P><P></P><P></P><P>Regards</P><P></P><P>Phil.</P><P></P></BODY></HTML> Wed, 21 Dec 2005 10:25:40 GMT https://community.cisco.com/t5/application-networking/using-sticky-with-ssl/m-p/430162#M7801 p.bailey 2005-12-21T10:25:40Z