Re: LOcal Director Behind a Proxy Server

dandawson · ‎04-09-2003

My Customer has Local Director sitting behind a Proxy. It is LD 416 Version 4.2.4. We are ahaving a difficult time keeping the clients on the same sessions. In Fact, because w have three real servers , the odds are 1 in 3 that it will hit the orginal real server that it needs to continue the open session. Are ther any commands that will allow the Clients to maintain their session with the real server they started with...We have tried Sticky commands at the Cookie-passive level and no luck, we have tried Sticky SSL and nothing there...What is the solution to make this thing work behind a proxy...

Gilles Dufour · ‎04-10-2003

the solution is what you did.

You mentioned cookie-passive - so are the servers generating cookies ?

If not you need to use cookie-active

you also mentioned SSL - does it mean the LD is loadbalancing

HTTPS connection ? If so, the cookie-passive or active methods won't work.

The SSL methods will only work for SSLv3 client.

Last solution is source ip sticky. But with proxy server it is usually not recommended because a lot of clients can use the same proxy ip address.

But sometimes this is the only solution.

Gilles.

dandawson · ‎04-10-2003

Gilles

The Cisco WEBSITE, indicated that STICKY commands would not be effective behind a Proxy server...

Here's the config

It looks simple enough, sounds like somehting would bind these Sessions to the Real server required, but the client is still opening new Sessions to different servers, unless it just happens to hit the real server that the origianl session was started on..Does the CSS have these same issues when behind a proxy..Would it be better to move the LD in front of the PRoxy...Dane

syslog output 20.3

no shutdown ethernet 0

no shutdown ethernet 1

no shutdown ethernet 2

interface ethernet 0 auto

interface ethernet 1 auto

interface ethernet 2 auto

mtu 0 1500

mtu 1 1500

mtu 2 1500

multiring all

no secure 0

no secure 1

no secure 2

no ping-allow 0

no ping-allow 1

no ping-allow 2

ip address 167.4.63.81 255.255.255.128

route 0.0.0.0 0.0.0.0 167.4.63.1 1

route 167.4.63.0 255.255.255.128 167.4.63.1 1

arp timeout 30

no rip passive

rip version 1

failover ip address 0.0.0.0

no failover

failover hellotime 30

telnet 167.4.71.220 255.255.252.0

snmp-server enable traps

no snmp-server contact

no snmp-server location

virtual 167.4.63.91:0:0:tcp is

real 167.4.63.84:7002:0:tcp is

real 167.4.63.85:7002:0:tcp is

real 167.4.63.86:7002:0:tcp is

real 167.4.63.87:7002:0:tcp is

real 167.4.63.88:7002:0:tcp is

replicate interface 2

name 167.4.63.84 ews402

name 167.4.63.85 ews403

name 167.4.63.86 ews404

name 167.4.63.87 ews405

name 167.4.63.88 ews406

name 167.4.63.91 ewscls2-v

bind 167.4.63.91:0:0:tcp 167.4.63.88:7002:0:tcp

bind 167.4.63.91:0:0:tcp 167.4.63.87:7002:0:tcp

bind 167.4.63.91:0:0:tcp 167.4.63.86:7002:0:tcp

bind 167.4.63.91:0:0:tcp 167.4.63.84:7002:0:tcp

bind 167.4.63.91:0:0:tcp 167.4.63.85:7002:0:tcp

sticky 167.4.63.91:0:0:tcp 3 cookie-passive BEA

Gilles Dufour · ‎04-11-2003

Dane,

once again, I see cookie-passive in your config.

So, are your servers generating cookies ?

The problem with proxy, is when they open a few persistent connections with the LD and then loadbalance client 's request over these connections.

If this is your case, then there is nothing you can do, except reconfiguring the proxy to disable persistent connections.

The problem would be the same with the CSS. But the CSS can close the persistent connection and therefore fix the problem.

Gilles.