cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
380
Views
0
Helpful
3
Replies

Sticky Sessions/Application Optimized Routing on a RV340

macfan007
Level 1
Level 1

 

This was previously discussed in 2018, but I'm asking again since we now have the latest firmware installed.

Does the RV340 support sticky/persistent sessions while load balancing across multiple WANs? Specifically, can it ensure that once a session is initiated on a website, the connection remains on the same WAN that handled the initial request?

Currently, the WAN changes with each request.

Expert advice would be greatly appreciated.

RV340 with multi-wan+load balancing enabled (2 ISPs/WANs, precedence = 1,1).

3 Replies 3

Joseph W. Doherty
Hall of Fame
Hall of Fame

You're only asking about selection of your outbound WAN interface on a RV340, correct?  Your only using static default routes, correct?

Unfortunately, I'm unfamiliar with what a RV340 does, but it's usually one of three methods for ECMP.

First, each packet is round robined.

Second, a flow's packets use the same path.  Flows are distributed across paths.

How flows are distributed is generally done one of two ways.  The most common way, a flow's attributes are used to always pick the same path.  Or, a new flow path is chosen via round robin, but a watch dog timer is reset with each flow's packet.  This usually insures an active flow's packets use the same path, but an aged out flow will be treated like a new flow, i.e. different path might be used.

When working with Internet web servers, thete can be many IPs servicing the DNS name, and dynamic web server LB might be in use too.

I recall (???), each HTTP transaction is stateless.  Possibly (commonly) multiple packets may be needed, but there is no implied session (logical "sessions" are provided by cookies, which is what allows even another physical web server to continue a "session", but network routers don't "see" such "sessions").

What behavior are you observing?

macfan007
Level 1
Level 1

Hi @Joseph W. Doherty 

Nope it wasn't me. Here is prev thread

it's still same behaviour with latest firmware. If you check TPLINK ER605/ER7206 they do everything but do Sticky session (They call - Enable Application Optimized Routing) 

we want similar function over-here.

Ah, that previous thread does provide context, especially the description of "sticky" using a session timeout value (the technique I was describing as the second option of flow based multi path).

What was also interesting was the issue of "sessions" being a problem with HTTPS/TLS.  Again, my understand of HTTP is it's stateless, and regarding session with HTTPS/TLS, my browser's AI returns:

https session

Based on the provided search results, I will outline the key aspects of HTTPS sessions and their lifetimes.

Establishment of an HTTPS Session

HTTPS sessions are built on top of the Transport Layer Security (TLS) protocol. When a client (typically a web browser) initiates an HTTPS connection to a server, a TLS handshake occurs. During this process:

  1. The client and server exchange cryptographic keys using asymmetric encryption (e.g., RSA).
  2. A shared secret session key is established using these keys.
  3. The session key is used to encrypt the data flow between the client and server.

Lifetime of an HTTPS Session

The lifetime of an HTTPS session depends on various factors:

  1. Default behavior: Most modern browsers and servers do not maintain a persistent SSL/TLS session between HTTPS requests. Each new request establishes a new TLS connection, and the session key is renegotiated.
  2. Session resumption: Some browsers and servers support session resumption, where the existing TLS session is reused for subsequent requests to the same server. This can reduce overhead and improve performance. However, this feature is not universally implemented and may depend on specific browser-server combinations.
  3. Certificate-based authentication: If a server uses mutual SSL/TLS (where both client and server authenticate each other), the session lifetime is tied to the certificate’s validity period. When a certificate nears expiration, the session will be terminated and a new one established.

Key Takeaways

  • HTTPS sessions are established through a TLS handshake, which includes asymmetric encryption and the generation of a shared secret session key.
  • The default behavior is to establish a new TLS connection and session key for each HTTPS request.
  • Some browsers and servers may support session resumption, reusing the existing TLS session for subsequent requests.
  • Certificate-based authentication can affect the session lifetime, with sessions terminating when a certificate nears expiration.

In code, you can observe this behavior through network inspection tools or by implementing your own HTTPS client or server. For example, in a Python HTTPS client using the requests library, each request establishes a new TLS connection:

import requests

response = requests.get('https://example.com')
print(response.request.headers['Connection'])  # "close"
 

In this example, the client initiates a new TLS connection for each request and closes it afterward. If session resumption were enabled, the Connection header would likely be set to “keep-alive” or “persist” to maintain the existing session.

The normal/common expectation, appears to be, security session is per HTTP request, so for such, as flow's L3(/L4) attributes should not be changing, and for that "session", different WAN interface shouldn't be used.  However, even for outbound per packet round robin, source/destination should logically remain the same.  I.e. possibly such packet round robin would cause out-of-sequence packet delivery, but client<>server should remain the same (excluding LB "stuff" on server side).

Notwithstanding the forgoing, your question really appears to be whether mwan3 sticky option is in the latest RV340 IOS.

Looking at configuration information for enabling MWAN, it only notes 

  • Outgoing network load balancing is performed on a per IP connection basis; it is not channel-bonding, where a single connection uses multiple WAN connections simultaneously.

Further, unfortunately, end of RV340 support is noted for 9/30/24, so if software doesn't behave as desired, not much chance Cisco will revise it within the next 30+ days.

Basically, with the end-of-support date, that's Cisco's way of saying time to replace the RV340.  If you do, of course, try to ascertain if replacement will perform as you need.

Lastly, and again, my bailiwick isn't with the SMB devices, so perhaps someone else might yet respond.  Is your RV340's actual behavior cause issues?

Review Cisco Networking for a $25 gift card