cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
601
Views
0
Helpful
1
Replies
Highlighted
Beginner

ACE SSL Sticky class-map generic vs class default differences.

There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.

Can anyone explain the benefits and differences of using a specific class-map generic such as this:

class-map type generic match-any SSL-v3-32
  2 match layer4-payload regex "\x16\x03\x00..\x01.*"

  3 match layer4-payload regex "\x16\x03\x01..\x01.*"

Versus just matching class default?

So if I have a configuration such as this:

policy-map type loadbalance generic first-match SSL-v3-Sticky
class SSL-v3-32
   sticky-serverfarm ssl-v3

vs

policy-map type loadbalance generic first-match SSL-v3-Sticky
class class-default
   sticky-serverfarm ssl-v3

What's the benefit or drawback?

1 REPLY
Cisco Employee

Re: ACE SSL Sticky class-map generic vs class default difference

The SSL session id is only available in version 3.0.1 and 3.1.1

So you can match this particular version and then attempt to do stickyness.

You are guaranteed to find what you're looking for.

If you match a class-default it means you apply stickyness to any version of ssl packet.

So there is a risk to misinterpret the content of the packet and stick on something else than the session id.

Gilles.

CreatePlease to create content
Ask the Expert- Webex Hybrid Services Solutions