Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1079
Views
0
Helpful
5
Replies

SSL CSM Sticky

cheeseng
Level 1
Level 1

‎07-12-2005 12:53 AM

Hi,

My setup is as follow, I have 2 CSM in two different 6509 running in active and standby mode and 2 SSLM running also in two different 6509 too.

My SSL traffic terminates at my SSLM

Currently my CSM and SSL is working fine but I notice there's this niggling issue whereby at times accessing my web servers via HTTPS traffic. My SSL stickyness don't seem to be working at times. The secnario is as that while accessing the pages via HTTPS the certificate web pages keep prompting and after checking the cert there are from 2 different SSLM. Furthermore after doing a trace I can confirm that the SSL sticky don work at times but this is like a 5-10 % rate.

After reading some of the post in the forum, the SSL ID in IE will expire and renegoiate again. Could this cause this problem ? ALso how can I rectify this. Pls advise. Thanks

Attached are my config and the screen cature of the error

Labels:
Preview file
8 KB
6190-SSL_Error.zip
0 Helpful
5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

‎07-12-2005 06:22 AM

indeed IE is most probably the culprit here.

The CSM learns the SSLID generated by the SSLM and create a sticky entry to link this value to the SSLM.

when IE wants to renegotiate the SSLID, it starts a new SSL session with a blank [0x00] SSLID.

The CSM can't stick this client to the corresponding SSLM and therefore it will loadbalance the session to the next SSLM.

If you have no control on the browser, there is no solution using SSLID.

What some people will do is use another form of stickyness to resolve the problem.

The only other sticky method is based on source ip address.

Regards,

Gilles.

0 Helpful

cheeseng
Level 1
Level 1
In response to Gilles Dufour

‎07-12-2005 08:33 PM

Hi Gilles,

Thanks for the reply. The information is really helpful. However there's one thing that don't rellly add up is that the certificate screen keep popping up immediately once I access the web page.

Reading through the caveats at MicroSoft regarding the IE with SSLIP issue. It mention that the connection is force to reset every 2 minutes. But for the issue that I'm facing it's almost immediate.

So is the IE reseting the connection every 2 minutes only when I start the connection (open the browser) or every 2 minutes default (specific to the client system).

Hope I did not confuse you. Thanks

0 Helpful

cheeseng
Level 1
Level 1
In response to cheeseng

‎07-12-2005 10:37 PM

Hi Gilles,

If I were to use source IP for stickness for my SSLM, what would happen if the client traffic is from a proxy. Thus will the loadbalancing by my CSM will not be accurate as many clients could be from the same proxy.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to cheeseng

‎07-12-2005 11:50 PM

that's the drawback of a stciky source-ip.

Mega proxy users will all be sent to the same server.

Gilles.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to cheeseng

‎07-13-2005 03:03 AM

capture a sniffer trace and verify the SSLID.

Also collect a 'sho sticky-table ssl-sticky' to verify that the sticky entry was created.

If this is a CSM, the command is 'sho mod csm X sitcky'

Regards,

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card