cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
883
Views
0
Helpful
3
Replies

HTTP-Cookie Stickiness is not working on ACE 4710.

Amjad Hashim
Beginner
Beginner

Hi ALL,

I have configured a service with a VIP listening on 443, at the minute both servers at the backend are using self signed certificates but eventually SSL will be terminated on ACE.

My requirement is to configure sticky sessions using http-cookie, i have configured it but ACE is not working as expected.

The user logs into the server and while browsing they get kicked to the second server and are prompted to login page again.

is it because the ACE can't extract the cookie from encrypted text or it is something else.

My config is very simple, please find it below.

serverfarm host SSDSD_SF

  probe SSDSD-ServerAvailability-443

  rserver SSDSD-AL2 443

    conn-limit max 4000000 min 4000000

    inservice

  rserver SSDSD-AL3 443

    conn-limit max 4000000 min 4000000

    inservice

sticky http-cookie JSESSIONID SSDSD_Sticky_SF2

  replicate sticky

  serverfarm SSDSD_SF

lass-map match-all SSDSD_443_WEB

  2 match virtual-address 10.xx.xx.xx tcp eq https

policy-map type loadbalance first-match SSDSD_443_WEB-l7slb

  class class-default

    sticky-serverfarm SSDSD_Sticky_SF2

class SSDSD_443_WEB

    loadbalance vip inservice

    loadbalance policy SSDSD_443_WEB-l7slb

    loadbalance vip icmp-reply active

3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Amjad,

You are correct. ACE has no way to look into HTTP header since it is encrypted. For ACE to do HTTP based stickyness, you should terminate SSL on ACE or as temporary workaround use source based sticky.

Hope this helps!

Regards,

Kanwal

Hello Kanwaljeet,

Thanks once again for your prompt reply, what will happen if i terminate the SSL on ACE and the backend servers are also listening on 443??

Will the ACE be able to decrypt the data and extract the cookie out of it or will it go through the ACE and the real server will deal with it.

Regards,

Amjad Hashim.

Hi Amjad,

In that case you will need to do END-TO-END SSL and ACE would be able to decrypt traffic and take decision on the basis of information contained in HTTP header. You can have more details regarding End to End ssl in below link.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml

Please let me know if you have any questions.

Regards,

Kanwal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: