CSS 11503 Session stickiness configuration

kellygoedert · ‎09-18-2012

Hi,

I am a complete newbie on css configuration. I only have configured load balancing on apache with a very simple setup. I have to deploy 2 applications on my clients environment that run inside jboss. One of these applications needs session to be sticky to work properly. The other does not.

In apache I can configure is the sticky parameter is true or false, based on the url, like /appA/* is sticky and /appB/* is not sticky. Can I do that in a CSS 11503? I believe so, but can somebody give me an example? My client insists that it is impossible. That the CSS is only ip based.

I copied the configuration below from the manual:

owner arrowpoint

   content ruleWapSticky

     vip address 192.168.128.151

     protocol tcp

     port 80

     url "/*"

     add service server1

     add service server2

     advanced-balance wap-msisdn

     active

I believe the url parameter is supposed to be my /appA/* or /appB/*. Am I right? Could I have two machines say, 10.1.1.2 and 10.1.1.3 both running jboss, and both having the two applications appA and appB deploying and one of the applications having sticky sessions enable and not the other?

Thanks

Kelly

Cesar Roque · ‎09-19-2012

Hi Kelly,

So you need to match the traffic based on the URI and stick the client. Here is an example of this using stickiness based on the source IP address:

content ruleWapSticky

vip address 192.168.128.151

protocol tcp

port 80

url "/appA"

add service server1

add service server2

advanced-balance sticky-srcip

active

content ruleWapSticky

vip address 192.168.128.151

protocol tcp

port 80

url "/appB"

add service server1

add service server2

active

With this configuration if someone hits the VIP address like this: http://192.168.128.151/appA is going to be loadbalanced to services server1 or server2 and stick to one of these servers based on the source IP address.

If someone hits the VIP address like this http://192.168.128.151/appB is going to be balanced to services server1 or server2 without stickiness, just normal loadbalance.

-------------------------------

Cesar R

--------------------- Cesar R ANS Team

kellygoedert · ‎09-19-2012

Thanks for your help. I will send this to my client. Another question: in this parameter

advanced-balance sticky-srcip

Could I make the stickiness based on JSESSIONID cookie?

Cesar Roque · ‎09-19-2012

Hi Kelly,

Yes, however it is easy if you use 'advanced-balance arrowpoint cookie' and let the CSS set a session based cookie.

---------------------

Cesar R

--------------------- Cesar R ANS Team

kellygoedert · ‎09-19-2012

I am sorry if this sounds stupid, but could you elaborate on "let the CSS set a session based cookie."? When I asked the question above I was just trying to avoid the situation where every request that leaves the same source ip address always goes to the same node. So I remembered the JSESSIONID cookie. So, if from the same source ip address I have multiple users, each one with a different browser session, they could go to different nodes.

Because I just really need the stickiness for that session, like in a shopping cart app. I don't really need that every request that leaves the same ip address is treated by the same node. Would this configuration that you suggested do this?

Thanks again

Kelly

Cesar Roque · ‎09-19-2012

Hi Kelly,

Yes, with advanced-balance arrowpoint cookie the CSS is going to insert a cookie to the request and use that cookie to stick the client.

This is the best method in scenarios where the clients are accesing the VIP address thru a proxy for example.

Here is a good link about arrowpoint-cookie:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a00801c8c2f.shtml

------------------------------

Cesar R

--------------------- Cesar R ANS Team

kellygoedert · ‎09-26-2012

Sorry for the delayed reply and for still insisting on this, but my client still insists that the configuration posted here on the previous answer

content ruleWapSticky

vip address 192.168.128.151

protocol tcp

port 80

url "/appA"

add service server1

add service server2

advanced-balance sticky-srcip

active

content ruleWapSticky

vip address 192.168.128.151

protocol tcp

port 80

url "/appB"

add service server1

add service server2

active

is applied to all the server and not only to the url like, appA. Even using the arrow cookie solution suggested, all the requests from the same src ip address, even if the urls are different, always go to the same node. Is this true?

Thanks again

Kelly

Cesar Roque · ‎09-26-2012

Hello Kelly,

Not really, the CSS is going to stick only the clients when they are accesing the Content Rule with arrowpoint-cookie configured.

The clients accesing the other Content Rule are not going to be sticky.

Stickiness is based on Content Rules not on servers

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

kellygoedert · ‎09-27-2012

Thank you very much. That was what I thought. I am having a hard time trying to explain this to him.

When the arrow point cookie is correctly set I can expect to see a cookie with a name like

ARPT= on the request, right? Like I can see the JSESSIONID

kellygoedert · ‎09-28-2012

Hi again,

this is my client's config (the one he sent me):

content hml-app1

protocol tcp

vip address 10.x.y.z

port 80

add service mac39

add service mac38

active

content hml-app1-https

protocol tcp

port 443

vip address 10.x.y.z

add service mac38-https

add service mac39-https

active

content hml-app1-https-app2

port 443

protocol tcp

url "/app2/*"

vip address 10.x.y.z

add service mac38-https

add service mac39-https

advanced-balance sticky-srcip

active

content hml-app-app2

vip address 10.x.y.z

protocol tcp

port 80

url "/app2/*"

add service mac39

add service mac38

advanced-balance sticky-srcip

active

With this configuration I hoped that only the requests that had /app2 on the request would have the sticky sessions. But this is not what is happening. What is wrong with this config? No request to app2 is being sticky.

Thanks

Kelly

Cesar Roque · ‎09-28-2012

Hi Kelly,

The problem is here:

content hml-app1-https-app2

port 443

protocol tcp

url "/app2/*"

vip address 10.x.y.z

add service mac38-https

add service mac39-https

advanced-balance sticky-srcip

active

If this traffic is encrypted, the command url "/app2/*" is not going to work because the CSS can't look the HTTP headers.

To make it work you need to do SSL Termination on the CSS

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

kellygoedert · ‎09-28-2012

Hi,

I am sorry but how do you do SSL Termination on the CSS?

Thanks,

Kelly

Cesar Roque · ‎09-28-2012

Hi Kelly,

here is the information about it:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/ssl/guide/terminat.html

The important here is that first you need to have an SSL module in your CSS

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

kellygoedert · ‎10-01-2012

Hi,

since I do not have access to the equipment that has to be configured, and my client is unable to do it by himself, is there a way I can contact a cisco specialist in Brazil that I can pay to go to my client site and make this configuration?

Thanks again

Cesar Roque · ‎10-01-2012

Hi Kelly,

Not sure about that but contact your Cisco Account Manager or Cisco Sales Engineer

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team