ASR and arrowpoint-cookie

Similar Messages

• Arrowpoint Cookies, Reverse Proxy and Multiplexed Client Requests

  Hi,
  I have a reverse proxy which is performing SSL offload and making backend connections to two web servers. Between the reverse proxy and the two webservers, a CSS is in place to load balance between the web servers. There is a requirement for session stickiness on the web servers and since client IP details are lost through the reverse proxy I have used the arrowpoint-cookie method to load balance connections.
  However, the reverse proxy seems to make only a handful of connections to the servers compared to the number incoming client connections and we have noticed that stickiness is broken. Now, I would assume this is correct if arrowpoint-cookie makes a load balancing based on the first HTTP get in a tcp stream and not on a per transaction basis AND our reverse proxy is multiplexing client requests. However, I can not convince myself of how the arrowpoint-cookie method actually works.
  I wondered if anyone had any insight on this or had experienced similar issues with arrowpoint cookies?

  Hi Gilles,
  I have implemented this today, and we are still seeing issues with requests hitting the wrong server.
  A bit more info, the reverse proxy is an AXG Web Aopplication Firewall. I have been looking at this and am considering disabling connection re-use on here.
  However I am also wondering if this might be to do with the flow timeout multiplier I am using which is 5 (80 seconds). Perhaps this is too low?
  Thanks, David.

• Arrowpoint cookies and state changes

  We have an 11050 6.10 build 4 (replacing it soon with a 11501) that is setting a cookie so we can stick a client to a server. The application is also setting a JSESSION cookie. The service is doing a HEAD to a specific page to verify the service is up. The service can change state often (say 1000 times in 2 hours) but the service is not always marked as down. It may only be marked as down 5 to 10 times in those 2 hours. The users are experiencing slow response and are getting kicked out of the application and going back to a login screen. My questions are:
  1. State Change Counters. If I go from alive to dying to alive is that 1 or 2 state changes?
  2. If a service is dying and a client connects to the service with the cookie already set will the CSS send them to the dying server or will it send them to the alive server? If it sends them to the alive server does it reset the cookie?
  3. If the service is down does the CSS send a RST to the client or does it just over write the cookie and send it to the alive server?
  4. Service timeouts. Is it true that the timeout for a service is the frequency -1? So if I have a frequency of 5 seconds if the CSS doesn't get a response within 4 seconds the service would go to the dying state?
  Thanks

  Thanks for the response. According to the Cisco documentation below when a service is down the client will be directed to the alive server. If clients aren't automatically sent to the alive server how would they ever get off the down service?
  The service isn't strange it's the app that's strange ;-) Basically they're getting slow response and the clients are getting kicked out of the app. As usual they want to blame every thing else but the app.
  The increase that I thought I was seeing in the state counters might not be accurate. When I did the show service it said the counters had been cleared this morning and they were already up to 1300. However, no one logged into the CSS except our Ciscoworks server. I'm not sure why it said they were cleared this morning unless CW2K is doing it. I cleared the counters and they're back to zero so I'll monitor it.
  ---Cisco Doc-------
  When a client comes in with a valid cookie request but the sticky server is not available, the CSS uses the sticky-serverdown-failover configuration to handle the request.
  By default, the sticky-serverdown-failover is configured as balance. The sticky-serverdown-failover balance method will treat the client's request as an initial request without the ArrowPoint cookie. It uses the load-balancing algorithm to choose a server, and then redirects the request with a generated ArrowPoint cookie.
  The other option is a failover type of redirect. In this case, the CSS redirects the request to the specified URL.
  The command sticky-no-cookie-found-action should not be configured in an ArrowPoint cookie content rule. Not only will this command not work, it produces many irregularities in the CSS.
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a00801c8c2f.shtml

• Arrowpoint Cookies and their lifetime

  Hi,
  I've a question in regards of arrowpoint cookies. Is the lifetime of a cookie reset every time a new connection with this cookie is setup or counts the liftime after the cookie was set for the first time.
  If the last thing is the case how does the CSS ensure that one sticks to the correct server if the lifetime is over?
  Kind Regards,
  Joerg

  the cookie value contains the server name or ip address.
  Therefore, the CSS does not keep any sticky table for the cookies.
  The normal cookie rules apply regarding lifetime of the cookie on a client.
  What you can do is set the expiration time of the cookie on the client.
  This is done with the command "arrowpoint-cookie expiration"
  Sample config at :
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080094398.shtml
  Regards,
  Gilles.

• CSS arrowpoint cookie load balancing issue

  Hi guys,
  I need some advice on a load balancing issue.
  We have connections hitting the CSS via a proxy environment. As a result i see only one source ip address. I want to use arrowpoint cookies for session stickeyness. However when i enable the rule the tcp session negotiation fails. The CSS sends a TCP/RST which terminates the session.
  Here's the rule config:
  content HTTP_rule
  add service ZSTS299102
  add service ZSTS281101
  vip address <filtered>
  add service LONS299102
  add service LONS281101
  balance weightedrr
  change service ZSTS299102 weight 5
  change service ZSTS281101 weight 5
  advanced-balance arrowpoint-cookie
  protocol tcp
  port 80
  url "/*"
  active
  Any help would be much appreciated.

  Remko,
  in L3/L4 the CSS sends the SYN directly to the server.
  So when the FIN comes in, we simply pass it to the server.
  With L5 the CSS spoofs the connection and we select the server only after receiving the GET.
  If there was some delay between the GET and the FIN, the CSS would have time to establish a connection with the server and the FIN could be simply forwarded.
  Unfortunately, in this case the FIN is right after the GET with no delay.
  Gilles.

• Problems with Arrowpoint cookies for clients behind a Proxy

  I have in a WebSite clients being load balanced using Arrowpoint cookies to a virtual Server. The CSS load balance between three Apache real servers.
  I have some clients that are behind some kind of Proxy Cache and I have seen with a sniffer that the proxies causing the problem Re-use proxy to our server connections for different requests for multiple clients.
  Then, as I understand the CSS make the forwarding decission based on the cookie of the first request for the first client behind the proxy after establishing the HTTP connection, but when there is a request from other client using this same connection (that must be forwarded to other real server) the request is forwarded to the original web server and fails because we need sticky connections.
  I thought that this wasn't correct but I have read some documents that say that this is called a Proxy role as a "connection cache". Then my question is if there is any workaround for this problem.
  Thanks

  I believe your problem is that the proxy open a few persistent connections with the CSS and loadbalance your client's request over them.
  Once the CSS has associated a connection with a service, it does not look into the request anymore.
  The solution is to disable persistence on the CSS with the command 'no persistent' and 'persistence reset'.
  Find more info at :
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093e06.shtml#crp
  Gilles.

• Do arrowpoint-cookies use "string range"?

  I can't find any document mentioning whether or not "advanced-balance arrowpoint-cookie" uses the "string range" setting in a content rule to determine how far to look down the cookie string to find the ARPT cookie. The default setting in the rule is "1 to 100", so if I have a cookie string that looks like this (from a sniffer trace):
  HTTP: 12: Cookie: $Version=0; XSESSIONID=Qy8PilVehwrIFD8Fs6tqzbIhtSFe3Qer9Euu2qGE4Ygz1nx29238F0FuFPS!=1730213783!=2102771864!8161!7002; ARPT=OZOMIVS172.16.1.20CK00J; preloginFlag=yes; termsflag=yes
  The arrowpoint cookie ARPT is more than 100 characters into the string, so will the CSS not see this cookie and send a new one (thereby rebalancing, possibly to a new server)? Or does advanced-balance arrowpoint-cookie always look through the entire cookie string?
  I haven't been able to lab test this, so I was wondering if anyone knew for sure?
  Thanks,
  Paul

  Paul,
  for arrowpoint cookie the CSS will look in the first 6 packets - whatever the size.
  You can increase or decrease this value with the command
  CSS11503(config)# spanning-packets ?
  Integer value(Range: 1-20)
  The string range has no effect for arrowpoint-cookie.
  Regards,
  Gilles.
  Thanks for rating this answer.

• CSS11500 arrowpoint-cookie question

  I'm doing some testing with a CSS11500 in a one-armed configuration.
  I need to ensure that users will stick to the same web server for a period of about 8 hours. I know this can be accomplished with sticky sourceip, but wanted to try arrowpoint-cookies to see how that worked. I believe I have everything configured correctly, but for some reason, I'm not getting any arrowpoint-cookies. Load-balancing is occurring round-robin and there are never any arrowpoint cookies in my Temp Internet Files folder.
  Does anyone have any clues?
  Config below:
  !************************** CIRCUIT **************************
  circuit VLAN1
  ip address 192.168.200.100 255.255.255.0
  no redirects
  !************************** SERVICE **************************
  service adcwps1p
  ip address 158.52.157.197
  string css_adcwps1p
  active
  service adcwps3p
  ip address 158.52.157.195
  keepalive type none
  string css_adcwps3p
  active
  !*************************** OWNER ***************************
  owner WHR_Portal
  content Employee_Portal
  vip address 192.168.200.106
  add service adcwps1p
  add service adcwps3p
  advanced-balance arrowpoint-cookie
  arrowpoint-cookie expiration 00:08:00:00
  arrowpoint-cookie expire-services
  active
  !*************************** GROUP ***************************
  group Portal_Servers
  vip address 192.168.200.106
  portmap number-of-ports 57216
  add destination service adcwps1p
  add destination service adcwps3p
  active

  Gilles-
  Thanks for your reply. The clock is correctly set and is using sntp to keep time synchronized.
  I did a sniffer trace like you asked, and I see the page being served from my VIP. I don't, however, see any arrowpoint-cookies. There is a cookie being set, but it is being set by my source server and, unfortunately, does not provide unique information for stickiness.
  Below is part of the TCP decode from the sniffer trace:
  GET /wps/WhrWasLogin HTTP/1.1
  Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*
  Accept-Language: en-us
  Accept-Encoding: gzip, deflate
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
  Host: portal.whirlpool.com
  Connection: Keep-Alive
  Cookie: WhrCredZmlzYmVnYzswMDAyQjM0MUU3NDg$=5EEB7C1E3A48E3B8
  HTTP/1.1 200 OK
  Date: Fri, 21 Mar 2003 19:12:59 GMT
  Server: IBM_HTTP_Server/1.3.12.6 Apache/1.3.12 (Unix)
  Pragma: no-cache
  Cache-Control: no-cache="set-cookie,set-cookie2"
  Expires: Thu, 01 Jan 1970 00:00:00 GMT
  Set-Cookie: sesessionid=0001DV51K5P5GZ40PGFTEV3AKJY;Path=/
  Keep-Alive: timeout=30
  Connection: Keep-Alive
  Transfer-Encoding: chunked
  Content-Type: text/html;charset=8859_1
  Content-Language: en

• Arrowpoint cookie HTTP Only flag set.

  Hi All,
  I have a site running an application on which we have identified a vulnerability we wish to close. The CSS11501 is using the advance balance arrowpoint cookie method, however tests are showing that the HTTP only parameter is not set. I am unable to find a way of doing this at present. Does anyone know how to acheive this?
  Until I can do so there is a remote possibilty I am leaving my application open to cross site scripting attacks.
  Microsoft use the HTTPOnly cookie option which sets a HTTPOnly flag. he following url has some information for review.
  Thanks in advance for your help.
  Alfie...

  Alfie,
  your security test tool assume the CSS is a webserver and therefore complains when seeing some missing *flag*.
  However, you won't be able to attack the CSS with whatever method that works against a webserver.
  We have our own onboard DOS feature.
  So, there is no option to use this microsoft HTTPOnly flag because there is no need for it.
  Make sure the servers behind the CSS are protected and have your HTTPOnly flag.
  Gilles.

• Arrowpoint cookie + stickiness

  Hi i have a question regarding advance balance arrowpoint cookie.
  The stickiness works fine unless the server goes down.When the server is dying and the user is making a request to the dying server then the CSS sends a RST but the client tries to reach still the old server. The stickiness is switching over to the next server only if I stop the pending request and I make a new request. Have you a suggestion ???
  Here the configuration of the content:
  content testcontent
  protocol tcp
  vip address 194.41.224.138
  redundant-index 1000
  add service h00bhm
  add service h00bhs
  arrowpoint-cookie expiration 00:00:30:00
  port 80
  url "/*"
  advanced-balance arrowpoint-cookie
  balance aca
  active

  if you have a persistent connection active when the server dies, the next request from the client is not loadbalanced and still forwarded to the server.
  This is the normal behavior.
  You can try the command 'no persistent' in the content rule and the command 'persistent reset remap' in global config.
  [might be persistence instead of persistent - never know which one is the correct spelling].
  Regards,
  Gilles.

• I have tried all the steps you listed in your FAQ sextion on enabling and disabling cookies but I am still getting the error message "cookies not enabled" on certain websites. Now what do I do?

  I have tried every step you have listed in your FAQ section for enabling and disabling cookies but I am still getting error messages "cookies not enabled" on certain websites? Why is this and what do I need to do to fix this?

  I have STILL NOT received an answer to my question as of this date. I am VERY disappointed in Firefox support.

• How do I get and set cookies with JSF?

  How do I get and set cookies in a JSF managed bean?
  Regards,
  Al Malin

  Below is how I did it...I am receptive to improvements.
  FacesContext facesContext = FacesContext.getCurrentInstance();
  HttpSession session = (HttpSession)facesContext.getExternalContext().getSession(false);
  HttpServletRequest request = (HttpServletRequest)facesContext.getExternalContext().getRequest();
  HttpServletResponse response = (HttpServletResponse)facesContext.getExternalContext().getResponse();
  String cookieName = "myCookieName";
  Cookie requestCookie = null;
  Cookie[] cookies = request.getCookies();
  logger.info("looking for cookie...");
  if (cookies != null)
  for (int i = 0; i < cookies.length; i++)
  if (cookies.getName().equals(cookieName))
  requestCookie = cookies[i];
  logger.info(cookieName + " = " + requestCookie.getValue());
  logger.info("done looking for cookie");
  Cookie responseCookie = new Cookie(cookieName, "myCookieValue");
  responseCookie.setPath("/");
  response.addCookie(responseCookie);

• Connot get it to accept cookies; privacy settings are re-set each time after I change them. How can I get the privacy setting to stick and accept cookies?

  I need to accept cookies to log into a technical site. I clear all cookies and the history and follow the instructions for setting privacy options to "Use custom settings for history" and to accept all cookies. When I go back to try logging into the site, it still tells me cookies aren't accepted. When I go back to Options-Privacy, the setting has been changed back to "Remember history" from "Use custom settings for history". I have done this about 5 times, trying various options, closing Firefox after making the change and starting it again - nothing works. How can I get the privacy settings to stay as I set them and accept cookies?

  Blocking all cookies in Safari does not work. Deleted cookies will not stay deleted. There are numerous threads on this going back years, both in these forums and elsewhere. Many claim to have submitted the issue to Apple, but I have never seen anyone post a reply.
  I have seen many suggested fixes that involve finding the cookies file, some including Terminal manipulations, and none seems to work universally. I can find noplace where Apple addresses this officially with an actual Apple-approved explanation or how-to.
  Bottom line, your browser's security features should do what they claim: delete cookies. When they come back without ever even visiting another page, this is clearly not working in the way a reasonable user would expect.
  Bottom line, Safari does not protect users' privacy in the way it pretends to and, after so many years of this issue, it appears that Apple wants it this way.
  Having spent way too much time on this, I realize the choice is between Safari which is pretty well optimized; Firefox which is a lot pokier, at least for me; and Chrome, which I assume funnels personal information directly to Google.

• Safari allows 3rd party cookies and all cookies even when prefernces are set to "never allow" with Mac os 10.6.8

  safari ALWAYS allows 3rd party cookies and all cookies even when set to "block cookies: always" and "from 3rd party and advertisers."  I have removed the website data, emptied the cache, reset safari, erased the history and it STILL dumps cookies.  (For example, if I go to the usgov weather website only I end up with 11 cookies, the top one being "addthis.com" listed as cashed in local storage.  But didn't I just empty the cache... multiple times??? Is my Safari application "broken" or "corrupt."  Can the application be renewed so that it actually does what it is commanded to do?

  Not using any extensions, Andy.
  Allowed a guest account and tested that.  Lots of cache/cookies showed up for my "guest" that on face value, appeared 3rd party:  the familiar "addthis.com" cache and others including a facebook cache and I did not, nor have ever, participated in facebook. But it could be that the "trusted" site my virtual guest visited had a relationship with facebook such that my COMPUTER "friended" facebook even though my guest and I most certainly would have declined the invitation :-)  But what I really don't get is why washington post cookies keep showing up every single time.  Isn't that the absolute definition of 3rd party cookies?!
  forgive my rant.
  On the other hand, when I logged out as guest, all data was automatically deleted, and when I relogged in as guest, it appeared that all the data, including cached data, had indeed been deleted.  But when I relogged in as myself, the same old garbage reappeared in the cache and cookie bin. The fact is, there appears to be no such thing as truly and completely emptying ones cache, resetting ones browser, or deleting ones cookies. They are here to stay.
  (And, oh yes, I have tried logging out, turning off and on the computer right after performing emptying tasks, etc.)

• Safari, maps, utube and app store will not open on my ipad1?  If I go to Settings and Safari and Clear Cookies, then Settings will close abruptly.  How to fix?

  Hi,
  Neither Safari, utube, maps, itunes or app store will open on my ipad1.  I tried to go to Settings, Safari and Clear Cookies - but when I do that Settings will abruptly close.  How to fix.  I tried restore - di not work.
  Thankyou,
  Jeff

  Try downloading any free app and see if that helps to reset the iPad and return your apps to normal. If that doesn't work ...
  Close all apps. Go to the home screen first by tapping the home button. Quit/close open apps by double tapping the home button and the task bar will appear with all of you recent/open apps displayed at the bottom. Tap and hold down on any app icon until it begins to wiggle. Tap the minus sign in the upper left corner to close the apps. Restart the iPad. Restart the iPad by holding down on the sleep button until the red slider appears and then slide to shut off. To power up hold the sleep button until the Apple logo appears and let go of the button. If that doesn't help try this ...
  Reset the iPad by holding down on the sleep and home buttons at the same time for about 10-15 seconds until the Apple Logo appears - ignore the red slider - let go of the buttons.