Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7914
Views
5
Helpful
15
Replies

ASK THE EXPERTS:Configuring and troubleshooting Session Persistence on Application Control Engine

ciscomoderator
Community Manager
Community Manager

‎07-15-2011 03:48 PM

Read the bioWith Olivier Hynderick

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to get an update on how to configure and troubleshoot session persistence (stickiness) on ACE with regards to specific protocols with Cisco expert Olivier Hynderick. Olivier has been working for the Cisco Technical Assistance Center for four years. He focuses on the Cisco Application Control Engine (ACE), Cisco Security Manager, and Cisco Wide Area Application Services and related technologies. He initially joined the Security team focusing on the Cisco ASA firewall and VPN on Cisco IOS applications before getting involved in the support of the Cisco ACE load balancer.  

Remember to use the rating system to let Olivier know if you have received an adequate response.    

Olivier might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Application Networking discussion forum shortly after the event. This event lasts through July 29, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

Labels:
0 Helpful
15 Replies 15

ohynderi
Level 1
Level 1
In response to Surya ARBY

‎07-29-2011 05:53 AM

Hello Surya,

The SSL/TLS protocol allows clients to re-use same key materials for multiple TCP connections. When this happens, client sends a hello message containing already an SSL Session-ID. From there, there are 2 possibilities. Either the server has or still has the corresponding key materials. Or it responds with a different SSL Session-ID forcing the client to generate new key materials.

I guess you knew this already. The point of stickiness based on Session-ID is just to make sure that the client hello message is sent to the server that has to correct key materials. This to make the SSL negotiation faster. In case you have to maintain, multiple connections with different Session-ID, then indeed, it won't help. That really depends on your application and what you are looking for...

Anyway, ACE actually uses the Generic Protocol Parsing (GPP) to achieve this. So I would say that stickiness based on SSL Session-ID is one of the many thing you can achieve with GPP than a real option...

See below another link on this, which explains more or less the same...

http://docwiki.cisco.com/wiki/Secure_Sockets_Layer_Persistence_Configuration_Example#Limitations_of_SSL_stickiness

About cookie insertion with 0 timeout, i don't thing i have ever seen any problems with that. Actually doing so, you no longer have to rely on the load balancer clock which may, for whatever reasons, be/become incorrect.

About learning cookie, again, that depends on your application. I have seen some customer applications where client was only taken into account a specific cookie inserted by the ACE.

Thanks,

Olivier

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card