Re: ACE 4710 Can not confirm http cookie sticky connections - Page 2

dlance · ‎01-09-2013

We are using a ACE 4710 with A3(2.6) software release.

I had to change our sticky load balancing method for HTTPS to cookie based.

However while connections appear to work if I look at the sho sticky database table I can not see or confirm sticky entries for the cookie based connections.

Here or config snippets to show the config

sticky http-cookie ghh-www scook-ghh

cookie insert browser-expire

serverfarm ghh-www-443

class-map match-all ghh-www-443_CLASS

2 match virtual-address 172.16.1.21 tcp eq https

class-map type http loadbalance match-any ghh-www-443_CLASSURL

2 match http url [.]*

policy-map type loadbalance first-match ghh-sticky-443_POLICY

class class-default

sticky-serverfarm scook-ghh

policy-map multi-match POLICY

class ghh-www-443_CLASS

loadbalance vip inservice

loadbalance policy ghh-sticky-443_POLICY

loadbalance vip icmp-reply active

appl-parameter http advanced-options CASE_PARAM

dlance · ‎01-10-2013

Yes Thanks

We are basically taking an existing working port 80 and 443 config where the sticky is done using ip address and changing it to a config where the sticky rule is done using cookies. So we had to decrypt the 443 connections to determine the cookie for sticky load balancing.

Dave

Francesco Casotto · ‎01-13-2013

Hi Dave,

yes as Alex mentioned if you don't need redirection (if you did you would have it already) all the configuration for traffic matching the class L4-CLASS-REDIRECT in the example would not be needed in your case.

Cheers,

Francesco

dlance · ‎01-14-2013

Yes thanks. It looks like they want me to do this and to be honest me and our web programmers are clueless as how to work out this certificate, intermediate certifcate and key pair mess.

Dave

Alex Rickard · ‎01-14-2013

Dave,

I would suggest you open a TAC case. The assigned engineer would be able to help you with the steps required to implement.

Here is the link from the SSL A3 guide that will detail the configuration aspect of SSL on the ACE appliance:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/sslgd.html

There is some very good information here that details certs/keys and end-to-end SSL

-Alex

dlance · ‎01-14-2013

Yes I have this document and keep circling back to it. Unfortunately its VERY unclear as to the certificate, intermediate certificate and key pair relationship relative to End to End SSL.

Alex Rickard · ‎01-14-2013

You will only need the SSL cert, key, and any requried intermediate certs configured for the SSL termination point. This is required when the ACE acts as a SSL server. When the ACE acts as a SSL client (when it initiates a SSL connection to the rserver) the cert, key, and any required intermediate certs would be provided by the SSL server (in this case your Web Servers). In a very simple form for the SSL initiation portion, you would need a SSL-proxy service (without any keys/ certs associated with it ) and apply this to your load balance policy map. The below is from memory and only shows the proxy service and where it is applied in the loadbalance policy.

ssl-proxy service SSL-initiation

policy-map type loadbalance http first-match SSL-POLICY

class class-default

ssl-proxy client SSL-initiation

serverfarm serverfarmName

dlance · ‎01-15-2013

Ok I am very close to having this working. I seem to have all the SSL cert stuff worked out. Now I am kinda back to original problem. Clients seem to connect ok and stickiness SEEMS to be working. However if I do

sho sticky database group scook-ghh I get no entries.

and it doesnt matter whether the sticky http setup includes or does not include the command

cookie insert browser-expire.

If I do a

sho stickie cookie-insert it shows 5 entries, 1 per Rserver

Alex Rickard · ‎01-15-2013

Since the inserted cookie is static you will only see the cookie that is generated for each rserver. You will not see a entry for each client - as you would with source IP sticky.