Re: Stickiness for the SSL sessions. How to...

evguenipesliak · ‎03-19-2008

Hello,

We are using CSM-S, but in one particular application SSL has to be terminated on the servers, not the SSL daughter card.

What would be the best way to keep stickiness in this case? Tried using SSL-ID, but it still drops the session once in a while. Can you insert cookies into the existing SSL sessions?

Thank you,

Evgueni

anaustin · ‎04-22-2008

Evgueni,

I have a customer using CSS for load balancing data center traffic. They have never been able to use SSL Session ID for session persistence (sticky). One reason is that some applications open multiple connections, each with a unique SSL Session ID, and the load balancer has no mechanism to associate these streams as part of the same client application. The other reason is that both clients and servers can renegotiate the SSL session, which changes the SSL Session ID. Modern versions of MSFT IE automatically renegotiate every two minutes, for example, and session sticky can be lost when that occurs.

You may have several options here. If you can terminate the client's SSL session on the CSM then initiate a new SSL session to the server, that will give you a chance to insert a cookie or similar that you can use for persistence. You need to understand how SSL is being used with the application. If the application is using SSL for client authentication and authorization, then you cannot terminate the SSL session on the CSM. That would constitute a man-in-the-middle, which SSL is designed to prevent. Applications can be modified to work around a load balancer terminating SSL, but that is another discussion.

Alternatively you can maintain persistence using src/dest IP addresses. That is the direction I took with my customer.