Sticky Situation - CSS11503 Load Balancer

Looking for help with a sticky setting on a CSS Content Switch.

I have 3 web servers which connect to a SQL2K application that clients connect to via the CSS using SSL. The CSS has a ssl module which decrypts the traffic and sends http to the web servers. The issue is if I have more than one web server running, the sessions don't appear to stick to the server and sql session. I don't think I can set an advanced balance cookie rule as the cookie would get stripped out when the http gets converted back to https and sent to the client. The web servers are running http so I don't think using application ssl and advanced balance ssl would work in the rule either as no ssl is coming off the backside of the css to the web servers. I currently have a balance aca rule running which spreads the load across the web servers very well but, clients can't seem to stay stuck to the original sessions. I'm also not sure if everything is in the right place in the config. I am posting my current config below. Any insight would be greatly appreciated.

CSS11503# sh run !Generated on 07/19/2005 17:01:08 !Active version: sg0730106

configure

!*************************** GLOBAL *************************** logging commands enable logging buffer 4096

ssl associate cert myrsacert circert.pem ssl associate rsakey myrsakey1 cirrsakey.pem

ip route 0.0.0.0 0.0.0.0 222.222.222.1 1

!************************* INTERFACE ************************* interface 1/1 description "Outside"

interface 1/2 description "Inside" bridge vlan 10

!************************** CIRCUIT ************************** circuit VLAN1 description "Outside"

ip address 222.222.222.254 255.255.255.0

circuit VLAN10 description "Inside"

ip address 10.20.1.254 255.255.255.0

!*********************** SSL PROXY LIST *********************** ssl-proxy-list ssl_list1 ssl-server 20 ssl-server 20 vip address 222.222.222.15 ssl-server 20 rsacert myrsacert ssl-server 20 rsakey myrsakey1 ssl-server 20 cipher rsa-with-rc4-128-sha 222.222.222.15 80 ssl-server 20 urlrewrite 1 the-222-app.com active

!************************** SERVICE ************************** service FTP1 ip address 10.20.1.1 port 20 protocol tcp active

service FTP2 port 21 protocol tcp ip address 10.20.1.5 active

service SQL1 ip address 10.20.1.10 port 1433 protocol tcp active

service Web1 ip address 10.20.1.1 port 80 active

service Web2 ip address 10.20.1.2 port 80

service Web3 ip address 10.20.1.3 port 80

service Web4 ip address 10.20.1.4

service ssl_serv1 add ssl-proxy-list ssl_list1 type ssl-accel slot 2 keepalive type none active

service win2k_http ip address 10.20.1.1 port 80 active

!*************************** OWNER *************************** owner L5_Owner

content L3_Rule add service Web1 add service Web2 add service Web3 add service Web4 vip address 222.222.222.15 balance aca active

content L5_Rule add service Web1 add service Web2 add service Web3 add service Web4 vip address 222.222.222.15 balance aca protocol tcp port 80 url "/*" active

owner cirims

content FTP1_Rule add service FTP1 protocol tcp vip address 222.222.222.15 port 20 active

content FTP2_Rule add service FTP2 protocol tcp vip address 222.222.222.15 port 21 application ftp-control active

content L3_Rule add service Web1 add service Web2 add service Web3 add service Web4 vip address 222.222.222.15 balance aca active

content L4_Rule add service Web1 add service Web2 add service Web3 add service Web4 vip address 222.222.222.15 balance aca protocol tcp port 80 url "/*" active

content SQL_Rule add service SQL1 vip address 222.222.222.15 protocol tcp port 1433 active

content decrypted_www protocol tcp port 80 add service win2k_http active

content ssl_rule2 vip address 222.222.222.15 protocol tcp port 443 application ssl advanced-balance ssl add service ssl_serv1 active

owner ssl_owner

content decrypted_www protocol tcp vip address 222.222.222.15 port 80 add service win2k_http active

content ssl_rule1 vip address 222.222.222.15 protocol tcp port 443 add service ssl_serv1 application ssl advanced-balance ssl active

!*************************** GROUP *************************** group GRP_ClientFTP_NAT vip address 10.20.1.201 active

group GRP_FTP vip address 222.222.222.15 add service FTP2 active

group ssl_module_proxy add destination service Web1 add destination service Web2 add destination service Web3 add destination service Web4 vip address 10.20.1.200 add destination service SQL1 active

!**************************** ACL **************************** acl 1 clause 10 deny tcp any destination any eq 80 clause 99 permit tcp any destination any apply circuit-(VLAN1)

acl 10 clause 99 permit tcp any destination any apply circuit-(VLAN10)

Thanks for any advice you can offer..

Mark B.

snipped-for-privacy@hotmail.com

Reply to
Qwik
Loading thread data ...

I ran into the same problem with the same device. Cisco CSS to my knowledge does not support sticky sessions, I had to go out and purchase a F5 Big-IP unit, I also know that radware make one as well.

Chad

Reply to
Chad Mahoney

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.