Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
0
Helpful
3
Replies

Arrowpoint cookies and ssl without SSL Module

ddimiceli
Level 1
Level 1

‎02-15-2006 11:49 AM

I have a 1503 CS. I would like to know If I can use Advanced-Balance Arrow-point cookies in our environment. We have the ssl being done on the server. Will the following work:

content t2p443

vip address xxx.xxx.xxx.xxx

protocol tcp

port 443

add service PR90APP8-443

add service PR92APP7-443

flow-timeout-multiplier 115

sticky-inact-timeout 15

sticky-mask 255.255.240.0

application ssl

advanced-balance arrowpoint-cookie

active

Thanks

Labels:
0 Helpful
3 Replies 3

dmoreira
Level 1
Level 1

‎02-15-2006 02:20 PM

Unfortunately not. The traffic would be encrypted to the CSS. ARPT cookies can only be inserted in clear text.

You would need to implement cookies on the server or use an ssl module offloader installed in the chassis (or external). The offloader would decrypt the ssl request and hit another content rule in clear text. That rule could use arrowpoint-cookies as a sticky method.

David

0 Helpful

ddimiceli
Level 1
Level 1
In response to dmoreira

‎02-15-2006 04:46 PM

Thanks Dave. I have another question. When I want to take a server out of rotation for maint I assign a weight of zero to the content. The only problem is that I am balancing using sticky source ip and I cant really tell the number of remaing connections using sh service summary. The connections vary from 0 to a few. I think I am having the limitation of mega proxy using sticky source ip. Is there any way I can really tell if everybody is off the server and I can safely suspend the service.

Thanks in advance for your help.

0 Helpful

dmoreira
Level 1
Level 1
In response to ddimiceli

‎02-16-2006 05:58 AM

The current connections listed under show service summary should be correct. If you are at zero, then all connections are gone.

Since you're using flow-timeout-mult, flows may stay around if not gracefully closed. Once you're at zero, suspend the service. If you don't, new connections can still be sent to the "zero weight" service, if the client is in the sticky table.

http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/cntlbgd/services.htm#wp1050713

If a proxy is always sending connections and you're using sticky-ip, the entry will never age out (which maybe what you're seeing). Use sticky-inact to more agressively age out entries. Be careful w/ this command. If your sticky table becomes full, new connections will be rejected until the old entries age out.

David

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card