01-09-2013 09:44 AM
We are using a ACE 4710 with A3(2.6) software release.
I had to change our sticky load balancing method for HTTPS to cookie based.
However while connections appear to work if I look at the sho sticky database table I can not see or confirm sticky entries for the cookie based connections.
Here or config snippets to show the config
sticky http-cookie ghh-www scook-ghh
cookie insert browser-expire
serverfarm ghh-www-443
class-map match-all ghh-www-443_CLASS
2 match virtual-address 172.16.1.21 tcp eq https
class-map type http loadbalance match-any ghh-www-443_CLASSURL
2 match http url [.]*
policy-map type loadbalance first-match ghh-sticky-443_POLICY
class class-default
sticky-serverfarm scook-ghh
policy-map multi-match POLICY
class ghh-www-443_CLASS
loadbalance vip inservice
loadbalance policy ghh-sticky-443_POLICY
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
01-10-2013 01:05 PM
Yes Thanks
We are basically taking an existing working port 80 and 443 config where the sticky is done using ip address and changing it to a config where the sticky rule is done using cookies. So we had to decrypt the 443 connections to determine the cookie for sticky load balancing.
Dave
01-13-2013 09:29 AM
Hi Dave,
yes as Alex mentioned if you don't need redirection (if you did you would have it already) all the configuration for traffic matching the class L4-CLASS-REDIRECT in the example would not be needed in your case.
Cheers,
Francesco
01-14-2013 07:27 AM
Yes thanks. It looks like they want me to do this and to be honest me and our web programmers are clueless as how to work out this certificate, intermediate certifcate and key pair mess.
Dave
01-14-2013 07:35 AM
Dave,
I would suggest you open a TAC case. The assigned engineer would be able to help you with the steps required to implement.
Here is the link from the SSL A3 guide that will detail the configuration aspect of SSL on the ACE appliance:
There is some very good information here that details certs/keys and end-to-end SSL
-Alex
01-14-2013 08:17 AM
Yes I have this document and keep circling back to it. Unfortunately its VERY unclear as to the certificate, intermediate certificate and key pair relationship relative to End to End SSL.
01-14-2013 08:33 AM
You will only need the SSL cert, key, and any requried intermediate certs configured for the SSL termination point. This is required when the ACE acts as a SSL server. When the ACE acts as a SSL client (when it initiates a SSL connection to the rserver) the cert, key, and any required intermediate certs would be provided by the SSL server (in this case your Web Servers). In a very simple form for the SSL initiation portion, you would need a SSL-proxy service (without any keys/ certs associated with it ) and apply this to your load balance policy map. The below is from memory and only shows the proxy service and where it is applied in the loadbalance policy.
ssl-proxy service SSL-initiation
policy-map type loadbalance http first-match SSL-POLICY
class class-default
ssl-proxy client SSL-initiation
serverfarm serverfarmName
01-15-2013 07:16 AM
Ok I am very close to having this working. I seem to have all the SSL cert stuff worked out. Now I am kinda back to original problem. Clients seem to connect ok and stickiness SEEMS to be working. However if I do
sho sticky database group scook-ghh I get no entries.
and it doesnt matter whether the sticky http setup includes or does not include the command
cookie insert browser-expire.
If I do a
sho stickie cookie-insert it shows 5 entries, 1 per Rserver
01-15-2013 07:28 AM
Since the inserted cookie is static you will only see the cookie that is generated for each rserver. You will not see a entry for each client - as you would with source IP sticky.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide