03-17-2011 09:33 PM
Hi
I am trying to configure a CSS11503 with 4 Jboss servers on the back. I am having performance problems whit the application and I have a few question that maybe someone could help me with.
The CSS11503 does not have a SSL module but the application works in ssl, so the Jboss servers have the certs and do the SSL work. I need to stick the session in the server for the application work properly. Questions:
- Due to i don’t have SSL module in the CSS11503, can I install and do the SSL work in the CSS11503? Or the only solution is as I am doing now forwarding the ssl to the JBoss?
- I understand that my only one option to stick sessions is through the SSL ID (due to the traffic through the loadbalancer is encrypted) Am I right on this? Is there any other option with this configuration?
- If i configure the CS11503 with just one Jboss works good, but in the right moment I add the two lines configurations to stick the SSL session (advanced-balance ssl , application ssl) the application performance goes down drastically. What can be producing this?
owner was
content wassvr
vip address x.x.x.74
add service was2
add service was3
add service was4
balance aca
port 443
protocol tcp
advanced-balance ssl
application ssl
active
Thanks in forward for your comments,
JC
03-19-2011 09:43 PM
Question1. Due to i don’t have SSL module in the CSS11503, can I install and do the SSL work in the CSS11503? Or the only solution is as I am doing now forwarding the ssl to the JBoss?
Answer : Yes, you can install the SSL module to do ssl termniation at the CSS. Current config you have with CSS is layer 4 LB. So the CSS is making LB decision as per ip address and port #.
Please find below link for a sample config for ssl termination at the CSS :
Question2. I understand that my only one option to stick sessions is through the SSL ID (due to the traffic through the loadbalancer is encrypted) Am I right on this? Is there any other option with this configuration?
Answer : The sticky-ssl feature works by looking for the SSL session id in the client hello packet. So you can use SSL session id as stickiness but you can also use source ip stickiness.
Question3. If i configure the CS11503 with just one Jboss works good, but in the right moment I add the two lines configurations to stick the SSL session (advanced-balance ssl , application ssl) the application performance goes down drastically. What can be producing this?
Answer : advanced-balance cmd is for the stickiness. However, "application ssl" is only needed when you have two or more ssl modules and doing L5 or above LB.
regards
Andrew
03-21-2011 01:37 AM
Hi Joo,
Thanks so much for your anwser. I have tried withou the application ssl command but in that case its not working.
My problem continue being the same, when i include the sticky SSL id configuration the application start to go very slow. I have detected that few clients still can work ok, but most of then go slow.
I have tried also to disable ssl-l4-fallback, but the behaviour is the same.
What can be producing this? any solution? Is there anyother way to stick the session to a server considering that the conection is SSL and the device doesnt have SSL module? any workaround to this problem?
Thanks in forward,
JC
03-21-2011 07:13 AM
Hello JC!
As Andrew wrote before you can use stickyness by ip-address as well. But it will be most useful if your application works without proxy-server.
Regards,
Marko
03-21-2011 07:09 PM
Hi Marko,
Thanks for your reply. Clients are in fact coming through a proxy so source IP stickness will not be helpful. Is there any other work around?
Thanks!
JC
03-21-2011 10:36 PM
Hi JC
For the performance issue it may not be related to the CSS. You can do quick test for the performane. Have a test client to bypass the CSS (i.e. direct access to the server) and see if you still see the slowness. If you do the ssl termination on the server, the server needs to have good processing power to encrypt and decrypt the ssl traffic. That's the reason why LB offers ssl offloading.
For the sticky SSL id, there was some known issue with some of web browser. Escpecially with old IE (I'm not really sure with new browser)
SSL cache time-out interval set to very low and it can force a full SSL handshake meaning that client can stick to a new server.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q265369&ID=kb;en-us;Q265369
regards
Andrew
03-22-2011 01:16 AM
To me SSL session id based persistance is still totaly unreliable as the SSL session is not related to the
application session. I always use source ip if I don't perform SSL offload on the load balancer.
03-22-2011 01:44 AM
Thanks for your reply Surya,
My clients are coming though proxy, configuring the Source IP would have any benefit? Do that option take in consideration just the IP or the tcp port as well? If its just the IP all my clients come with the proxy IP
Thanks,
JC
03-22-2011 01:40 AM
Hi Joo,
That test was done. The app Server works good and the performance its ok. With the load balancer the performance is good till I had the conf: advanced-balance ssl, application ssl
Thanks,
JC
03-22-2011 01:58 AM
Anyway, I guess the problem does not lie within the CSS. We have similiar configuration here, but we terminate the ssl-sessions on a Juniper behind the CSS. The Juniper than goes to the webservers. As all is running fine I would guess the CSS is not a problem there. We use advanced-balance ssl and application ssl as well.
03-22-2011 03:29 AM
Thanks Marko, good to know you have that same configuration working. I will try to check also the app servers to see if there have something strange in there.
Best Regards,
JC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide