10-26-2007 08:15 AM
The problem is that CSS is overloading one service/server. 90% of all active client connetions are sent to one single back-end service/server instead of being equally distributed to all three servers.
This is a new CSS11503 (installed 2 months ago).
Our SSL VIP is configured as follows:
content W3CFM-443
vip address x.x.x.14
protocol tcp
port 443
application ssl
advanced-balance ssl
add service server1
add service server2
add service server3
active
The vast majority of clients are connecting to this VIP from behind a NAT router (a Cisco overload NAT router), therefore the CSS sees all clients with the same source IP address (normally 200 active concurrent users).
Will our "imbalance" issue be solved by issuing the following configuration command?
"ssl-l4-fallback disable"
10-30-2007 06:07 AM
indeed, this command could help.
Because with the default, the css would use sticky srcip if it can't find the ssl id.
But if you need stickyness [why configur advanced-balance ssl if you don't], then you'll lose it with this command.
You may have to use a SSL module to decrypt the traffic and use cookie stickyness.
Gilles.
10-31-2007 08:40 AM
Thanks Gilles,
What do you mean by "you'll lose stickyness with this command"? ...SSL stickiness will no longer work if I configure the "ssl-l4-fallback disable" command?
The option to use the SSL module with cookie stickyness was my initial configuration, however, performance of HTTPS traffic actually degraded (web page load times were slower) when I tried to use the SSL module to off-load the SSL traffic from the web servers. So we're stuck with using SSL sticky for now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide