SSL Id Sticky session performance issue

josecsoto · ‎03-17-2011

Hi

I am trying to configure a CSS11503 with 4 Jboss servers on the back. I am having performance problems whit the application and I have a few question that maybe someone could help me with.

The CSS11503 does not have a SSL module but the application works in ssl, so the Jboss servers have the certs and do the SSL work. I need to stick the session in the server for the application work properly. Questions:

- Due to i don’t have SSL module in the CSS11503, can I install and do the SSL work in the CSS11503? Or the only solution is as I am doing now forwarding the ssl to the JBoss?

- I understand that my only one option to stick sessions is through the SSL ID (due to the traffic through the loadbalancer is encrypted) Am I right on this? Is there any other option with this configuration?

- If i configure the CS11503 with just one Jboss works good, but in the right moment I add the two lines configurations to stick the SSL session (advanced-balance ssl , application ssl) the application performance goes down drastically. What can be producing this?

owner was

content wassvr

vip address x.x.x.74

add service was2

add service was3

add service was4

balance aca

port 443

protocol tcp

advanced-balance ssl

application ssl

active

Thanks in forward for your comments,

JC

Andrew Nam · ‎03-19-2011

Question1. Due to i don’t have SSL module in the CSS11503, can I install and do the SSL work in the CSS11503? Or the only solution is as I am doing now forwarding the ssl to the JBoss?

Answer : Yes, you can install the SSL module to do ssl termniation at the CSS. Current config you have with CSS is layer 4 LB. So the CSS is making LB decision as per ip address and port #.

Please find below link for a sample config for ssl termination at the CSS :

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00801aca4f.shtml

Question2. I understand that my only one option to stick sessions is through the SSL ID (due to the traffic through the loadbalancer is encrypted) Am I right on this? Is there any other option with this configuration?

Answer : The sticky-ssl feature works by looking for the SSL session id in the client hello packet. So you can use SSL session id as stickiness but you can also use source ip stickiness.

Question3. If i configure the CS11503 with just one Jboss works good, but in the right moment I add the two lines configurations to stick the SSL session (advanced-balance ssl , application ssl) the application performance goes down drastically. What can be producing this?

Answer : advanced-balance cmd is for the stickiness. However, "application ssl" is only needed when you have two or more ssl modules and doing L5 or above LB.

regards

Andrew

josecsoto · ‎03-21-2011

Hi Joo,

Thanks so much for your anwser. I have tried withou the application ssl command but in that case its not working.

My problem continue being the same, when i include the sticky SSL id configuration the application start to go very slow. I have detected that few clients still can work ok, but most of then go slow.

I have tried also to disable ssl-l4-fallback, but the behaviour is the same.

What can be producing this? any solution? Is there anyother way to stick the session to a server considering that the conection is SSL and the device doesnt have SSL module? any workaround to this problem?

Thanks in forward,

JC

Marko Leopold · ‎03-21-2011

Hello JC!

As Andrew wrote before you can use stickyness by ip-address as well. But it will be most useful if your application works without proxy-server.

Regards,

Marko

josecsoto · ‎03-21-2011

Hi Marko,

Thanks for your reply. Clients are in fact coming through a proxy so source IP stickness will not be helpful. Is there any other work around?

Thanks!

JC

Andrew Nam · ‎03-21-2011

Hi JC

For the performance issue it may not be related to the CSS. You can do quick test for the performane. Have a test client to bypass the CSS (i.e. direct access to the server) and see if you still see the slowness. If you do the ssl termination on the server, the server needs to have good processing power to encrypt and decrypt the ssl traffic. That's the reason why LB offers ssl offloading.

For the sticky SSL id, there was some known issue with some of web browser. Escpecially with old IE (I'm not really sure with new browser)

SSL cache time-out interval set to very low and it can force a full SSL handshake meaning that client can stick to a new server.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q265369&ID=kb;en-us;Q265369

regards

Andrew

Surya ARBY · ‎03-22-2011

To me SSL session id based persistance is still totaly unreliable as the SSL session is not related to the

application session. I always use source ip if I don't perform SSL offload on the load balancer.

josecsoto · ‎03-22-2011

Thanks for your reply Surya,

My clients are coming though proxy, configuring the Source IP would have any benefit? Do that option take in consideration just the IP or the tcp port as well? If its just the IP all my clients come with the proxy IP

Thanks,

JC

josecsoto · ‎03-22-2011

Hi Joo,

That test was done. The app Server works good and the performance its ok. With the load balancer the performance is good till I had the conf: advanced-balance ssl, application ssl

Thanks,

JC

Marko Leopold · ‎03-22-2011

Anyway, I guess the problem does not lie within the CSS. We have similiar configuration here, but we terminate the ssl-sessions on a Juniper behind the CSS. The Juniper than goes to the webservers. As all is running fine I would guess the CSS is not a problem there. We use advanced-balance ssl and application ssl as well.

josecsoto · ‎03-22-2011

Thanks Marko, good to know you have that same configuration working. I will try to check also the app servers to see if there have something strange in there.

Best Regards,

JC