Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
941
Views
0
Helpful
3
Replies

HTTP-Cookie Stickiness is not working on ACE 4710.

Amjad Hashim
Level 1
Level 1

‎11-13-2013 07:17 AM

Hi ALL,

I have configured a service with a VIP listening on 443, at the minute both servers at the backend are using self signed certificates but eventually SSL will be terminated on ACE.

My requirement is to configure sticky sessions using http-cookie, i have configured it but ACE is not working as expected.

The user logs into the server and while browsing they get kicked to the second server and are prompted to login page again.

is it because the ACE can't extract the cookie from encrypted text or it is something else.

My config is very simple, please find it below.

serverfarm host SSDSD_SF

  probe SSDSD-ServerAvailability-443

  rserver SSDSD-AL2 443

    conn-limit max 4000000 min 4000000

    inservice

  rserver SSDSD-AL3 443

    conn-limit max 4000000 min 4000000

    inservice

sticky http-cookie JSESSIONID SSDSD_Sticky_SF2

  replicate sticky

  serverfarm SSDSD_SF

lass-map match-all SSDSD_443_WEB

  2 match virtual-address 10.xx.xx.xx tcp eq https

policy-map type loadbalance first-match SSDSD_443_WEB-l7slb

  class class-default

    sticky-serverfarm SSDSD_Sticky_SF2

class SSDSD_443_WEB

    loadbalance vip inservice

    loadbalance policy SSDSD_443_WEB-l7slb

    loadbalance vip icmp-reply active

Labels:
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎11-13-2013 08:56 AM

Hi Amjad,

You are correct. ACE has no way to look into HTTP header since it is encrypted. For ACE to do HTTP based stickyness, you should terminate SSL on ACE or as temporary workaround use source based sticky.

Hope this helps!

Regards,

Kanwal

0 Helpful

Amjad Hashim
Level 1
Level 1
In response to Kanwaljeet Singh

‎11-15-2013 07:12 AM

Hello Kanwaljeet,

Thanks once again for your prompt reply, what will happen if i terminate the SSL on ACE and the backend servers are also listening on 443??

Will the ACE be able to decrypt the data and extract the cookie out of it or will it go through the ACE and the real server will deal with it.

Regards,

Amjad Hashim.

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to Amjad Hashim

‎11-15-2013 10:10 AM

Hi Amjad,

In that case you will need to do END-TO-END SSL and ACE would be able to decrypt traffic and take decision on the basis of information contained in HTTP header. You can have more details regarding End to End ssl in below link.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml

Please let me know if you have any questions.

Regards,

Kanwal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents