02-03-2010 10:52 AM
Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers. I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall. The ACE is in bridged mode to load balance web servers that reside in the DMZ. Everything seems to work just fine, but the cookie stickiness does not seem to be working.
Solved! Go to Solution.
02-04-2010 06:08 AM
Hi David,
I also just found a bug that could be relevant here. The issue can happen any time a user changes the serverfarm within a sticky group. It can cause sticky to stop working. It was fixed in A2(1.5) on the module and A3(2.3) on the 4710.
If upgrading is a possibility for you, it wouldn't be a bad idea to jump to A3(2.4).
Thanks,
Sean
02-03-2010 12:34 PM
Hi David,
It is hard to say what is causing the cookie sticky to not work, given the data provided.
You might want to load up LiveHTTPHeaders on a Firefox browser and see if the browser is receiving the cookie from the server, and is returning the cookie in the subsequent request to the same host. Also, you could try cookie-insert by adding the line to your sticky group...
sticky http-cookie CITRIXCOOKIE Sticky_Http_Cookie_Citrix
cookie insert
serverfarm SF_CitrixXenApp
Thank you,
Sean
02-03-2010 12:54 PM
Using wireshark to capture the packets from my PC, I connect via the VIP address which is https I do not receive a cookie. If I connect directly to
the rserver via http I do receive a cookie. The stickiness should be using that cookie that is passed between the ACE and the
rserver if the ACE is terminating SSL, correct? When I put one of the rservers out of service and connect to the VIP I do not see any data in the sh sticky database group Sticky_Http_Cookie_Citrix. If I enable the cookie insert I see the following info.
sh sticky cookie-insert group Sticky_Http_Cookie_Citrix
Cookie | HashKey | rserver-instance
------------+----------------------+----------------------------------------+
R3911631338 | 14573668120520452617 | SF_CitrixXenApp/RS_CitrixXen_1:80
R3911667275 | 17565098191941304674 | SF_CitrixXenApp/RS_CitrixXen_2:80
I still do not see any sticky sessions in the database for this sticky group after enabling the cookie insert.
02-03-2010 01:10 PM
Hi David,
As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
When using cookie-insert, the ACE will not create any dynamic cookie entries. It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value. So what you see there is what is expected.
You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie. The cookie is included in the server's response, and the ACE will look for the value as configured. The cookie will also be sent to the client. If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses. If the browser opens new connections with that cookie, then the ACE will stick to the same server.
My suggestion would be to get sticky working with cookie-insert first. Then if that meets your needs, go with that permanently. If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
Sean
02-03-2010 03:10 PM
I've configured it use the cookie insert, but it still does not appear to be using it from the ACE logs I see it jumping back and forth between the rservers.
02-04-2010 05:56 AM
David,
Ah, the plot thickens. Perhaps we need to continue to simply the config, get it working, then add back in what is necessary. If possible, please do the following:
Also what version of software are you running on your 4710?
Thanks,
Sean
02-04-2010 05:59 AM
I'll try that. I'm running 3.2.2 code
02-04-2010 06:08 AM
Hi David,
I also just found a bug that could be relevant here. The issue can happen any time a user changes the serverfarm within a sticky group. It can cause sticky to stop working. It was fixed in A2(1.5) on the module and A3(2.3) on the 4710.
If upgrading is a possibility for you, it wouldn't be a bad idea to jump to A3(2.4).
Thanks,
Sean
02-04-2010 12:27 PM
Guess I'll be scheduling an upgrade of the code and see if that resolves the issue. I'll let you know.
02-15-2010 04:29 PM
That apparently fixed my issue now as I can configure cookie stickiness with cookie insert and
it works. The dynamic cookie learning does not seem to be working, but that may because the application owner incorrectly advised me that the app uses cookies. I can figure that part out with a network capture. Thanks for the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide