CSS11500 arrowpoint-cookie question

Similar Messages

• Problems with Arrowpoint cookies for clients behind a Proxy

  I have in a WebSite clients being load balanced using Arrowpoint cookies to a virtual Server. The CSS load balance between three Apache real servers.
  I have some clients that are behind some kind of Proxy Cache and I have seen with a sniffer that the proxies causing the problem Re-use proxy to our server connections for different requests for multiple clients.
  Then, as I understand the CSS make the forwarding decission based on the cookie of the first request for the first client behind the proxy after establishing the HTTP connection, but when there is a request from other client using this same connection (that must be forwarded to other real server) the request is forwarded to the original web server and fails because we need sticky connections.
  I thought that this wasn't correct but I have read some documents that say that this is called a Proxy role as a "connection cache". Then my question is if there is any workaround for this problem.
  Thanks

  I believe your problem is that the proxy open a few persistent connections with the CSS and loadbalance your client's request over them.
  Once the CSS has associated a connection with a service, it does not look into the request anymore.
  The solution is to disable persistence on the CSS with the command 'no persistent' and 'persistence reset'.
  Find more info at :
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093e06.shtml#crp
  Gilles.

• Arrowpoint cookie + stickiness

  Hi i have a question regarding advance balance arrowpoint cookie.
  The stickiness works fine unless the server goes down.When the server is dying and the user is making a request to the dying server then the CSS sends a RST but the client tries to reach still the old server. The stickiness is switching over to the next server only if I stop the pending request and I make a new request. Have you a suggestion ???
  Here the configuration of the content:
  content testcontent
  protocol tcp
  vip address 194.41.224.138
  redundant-index 1000
  add service h00bhm
  add service h00bhs
  arrowpoint-cookie expiration 00:00:30:00
  port 80
  url "/*"
  advanced-balance arrowpoint-cookie
  balance aca
  active

  if you have a persistent connection active when the server dies, the next request from the client is not loadbalanced and still forwarded to the server.
  This is the normal behavior.
  You can try the command 'no persistent' in the content rule and the command 'persistent reset remap' in global config.
  [might be persistence instead of persistent - never know which one is the correct spelling].
  Regards,
  Gilles.

• Arrowpoint cookies and state changes

  We have an 11050 6.10 build 4 (replacing it soon with a 11501) that is setting a cookie so we can stick a client to a server. The application is also setting a JSESSION cookie. The service is doing a HEAD to a specific page to verify the service is up. The service can change state often (say 1000 times in 2 hours) but the service is not always marked as down. It may only be marked as down 5 to 10 times in those 2 hours. The users are experiencing slow response and are getting kicked out of the application and going back to a login screen. My questions are:
  1. State Change Counters. If I go from alive to dying to alive is that 1 or 2 state changes?
  2. If a service is dying and a client connects to the service with the cookie already set will the CSS send them to the dying server or will it send them to the alive server? If it sends them to the alive server does it reset the cookie?
  3. If the service is down does the CSS send a RST to the client or does it just over write the cookie and send it to the alive server?
  4. Service timeouts. Is it true that the timeout for a service is the frequency -1? So if I have a frequency of 5 seconds if the CSS doesn't get a response within 4 seconds the service would go to the dying state?
  Thanks

  Thanks for the response. According to the Cisco documentation below when a service is down the client will be directed to the alive server. If clients aren't automatically sent to the alive server how would they ever get off the down service?
  The service isn't strange it's the app that's strange ;-) Basically they're getting slow response and the clients are getting kicked out of the app. As usual they want to blame every thing else but the app.
  The increase that I thought I was seeing in the state counters might not be accurate. When I did the show service it said the counters had been cleared this morning and they were already up to 1300. However, no one logged into the CSS except our Ciscoworks server. I'm not sure why it said they were cleared this morning unless CW2K is doing it. I cleared the counters and they're back to zero so I'll monitor it.
  ---Cisco Doc-------
  When a client comes in with a valid cookie request but the sticky server is not available, the CSS uses the sticky-serverdown-failover configuration to handle the request.
  By default, the sticky-serverdown-failover is configured as balance. The sticky-serverdown-failover balance method will treat the client's request as an initial request without the ArrowPoint cookie. It uses the load-balancing algorithm to choose a server, and then redirects the request with a generated ArrowPoint cookie.
  The other option is a failover type of redirect. In this case, the CSS redirects the request to the specified URL.
  The command sticky-no-cookie-found-action should not be configured in an ArrowPoint cookie content rule. Not only will this command not work, it produces many irregularities in the CSS.
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a00801c8c2f.shtml

• Arrowpoint Cookies and their lifetime

  Hi,
  I've a question in regards of arrowpoint cookies. Is the lifetime of a cookie reset every time a new connection with this cookie is setup or counts the liftime after the cookie was set for the first time.
  If the last thing is the case how does the CSS ensure that one sticks to the correct server if the lifetime is over?
  Kind Regards,
  Joerg

  the cookie value contains the server name or ip address.
  Therefore, the CSS does not keep any sticky table for the cookies.
  The normal cookie rules apply regarding lifetime of the cookie on a client.
  What you can do is set the expiration time of the cookie on the client.
  This is done with the command "arrowpoint-cookie expiration"
  Sample config at :
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080094398.shtml
  Regards,
  Gilles.

• CSS arrowpoint cookie load balancing issue

  Hi guys,
  I need some advice on a load balancing issue.
  We have connections hitting the CSS via a proxy environment. As a result i see only one source ip address. I want to use arrowpoint cookies for session stickeyness. However when i enable the rule the tcp session negotiation fails. The CSS sends a TCP/RST which terminates the session.
  Here's the rule config:
  content HTTP_rule
  add service ZSTS299102
  add service ZSTS281101
  vip address <filtered>
  add service LONS299102
  add service LONS281101
  balance weightedrr
  change service ZSTS299102 weight 5
  change service ZSTS281101 weight 5
  advanced-balance arrowpoint-cookie
  protocol tcp
  port 80
  url "/*"
  active
  Any help would be much appreciated.

  Remko,
  in L3/L4 the CSS sends the SYN directly to the server.
  So when the FIN comes in, we simply pass it to the server.
  With L5 the CSS spoofs the connection and we select the server only after receiving the GET.
  If there was some delay between the GET and the FIN, the CSS would have time to establish a connection with the server and the FIN could be simply forwarded.
  Unfortunately, in this case the FIN is right after the GET with no delay.
  Gilles.

• Do arrowpoint-cookies use "string range"?

  I can't find any document mentioning whether or not "advanced-balance arrowpoint-cookie" uses the "string range" setting in a content rule to determine how far to look down the cookie string to find the ARPT cookie. The default setting in the rule is "1 to 100", so if I have a cookie string that looks like this (from a sniffer trace):
  HTTP: 12: Cookie: $Version=0; XSESSIONID=Qy8PilVehwrIFD8Fs6tqzbIhtSFe3Qer9Euu2qGE4Ygz1nx29238F0FuFPS!=1730213783!=2102771864!8161!7002; ARPT=OZOMIVS172.16.1.20CK00J; preloginFlag=yes; termsflag=yes
  The arrowpoint cookie ARPT is more than 100 characters into the string, so will the CSS not see this cookie and send a new one (thereby rebalancing, possibly to a new server)? Or does advanced-balance arrowpoint-cookie always look through the entire cookie string?
  I haven't been able to lab test this, so I was wondering if anyone knew for sure?
  Thanks,
  Paul

  Paul,
  for arrowpoint cookie the CSS will look in the first 6 packets - whatever the size.
  You can increase or decrease this value with the command
  CSS11503(config)# spanning-packets ?
  Integer value(Range: 1-20)
  The string range has no effect for arrowpoint-cookie.
  Regards,
  Gilles.
  Thanks for rating this answer.

• Problems with Arrowpoint Cookies

  I have a CSS 11503 set up in a DMZ that is load balancing 2 Netsilica proxies. All worked ok when I used Sticky Scrcip.
  We are also using Akamai externally, they said clients ip may change during use. Tried to use arrowpoint cookies.
  service
  strig xyz
  content rule
  balance aca
  advance balance arrowpoint-cookie
  arrowpoint-cookie expiration 01:00:01:01
  this seems to bounce the users from proxy to proxy.
  Need sticky non source IP , any ideas welcome
  Thanks
  Steve

  Steve,
  first, if you can't use sourceip for stickyness there is no other solution than cookie.
  Arrowpoint cookie should work.
  Veriy with a sniffer trace if the client is sending the cookie with each request.
  Some browser disable cookies.
  Gilles.

• ASR and arrowpoint-cookie

  Is it recommended to use ASR on arrowpoint-cookie content rules? I know that when the primary css fails the backup css will accept cookies issued by the primary and then issue a new to the client one for the same server. I understand the need on sticky-srcip content rules.
  Thanks

  With arrowpoint-cookie, there is no sticky table.
  So ASR does not need to exchange information between the 2 CSS.
  However, ASR is also there to preserve active connections after failover.
  So you should use it for every content rules whatever the loadbalancing option.
  Also, I'd like to clarify one point.
  The backup CSS will not issue a new cookie when receiving new connections.
  Both CSS will use the same cookie, which is why there is no need to exchange sticky table info for arrowpoint-cookie.
  This is also why the backyp can take over new connections and understand the cookie presented by the client.
  Regards,
  Gilles.

• Arrowpoint cookie HTTP Only flag set.

  Hi All,
  I have a site running an application on which we have identified a vulnerability we wish to close. The CSS11501 is using the advance balance arrowpoint cookie method, however tests are showing that the HTTP only parameter is not set. I am unable to find a way of doing this at present. Does anyone know how to acheive this?
  Until I can do so there is a remote possibilty I am leaving my application open to cross site scripting attacks.
  Microsoft use the HTTPOnly cookie option which sets a HTTPOnly flag. he following url has some information for review.
  Thanks in advance for your help.
  Alfie...

  Alfie,
  your security test tool assume the CSS is a webserver and therefore complains when seeing some missing *flag*.
  However, you won't be able to attack the CSS with whatever method that works against a webserver.
  We have our own onboard DOS feature.
  So, there is no option to use this microsoft HTTPOnly flag because there is no need for it.
  Make sure the servers behind the CSS are protected and have your HTTPOnly flag.
  Gilles.

• Arrowpoint Cookies, Reverse Proxy and Multiplexed Client Requests

  Hi,
  I have a reverse proxy which is performing SSL offload and making backend connections to two web servers. Between the reverse proxy and the two webservers, a CSS is in place to load balance between the web servers. There is a requirement for session stickiness on the web servers and since client IP details are lost through the reverse proxy I have used the arrowpoint-cookie method to load balance connections.
  However, the reverse proxy seems to make only a handful of connections to the servers compared to the number incoming client connections and we have noticed that stickiness is broken. Now, I would assume this is correct if arrowpoint-cookie makes a load balancing based on the first HTTP get in a tcp stream and not on a per transaction basis AND our reverse proxy is multiplexing client requests. However, I can not convince myself of how the arrowpoint-cookie method actually works.
  I wondered if anyone had any insight on this or had experienced similar issues with arrowpoint cookies?

  Hi Gilles,
  I have implemented this today, and we are still seeing issues with requests hitting the wrong server.
  A bit more info, the reverse proxy is an AXG Web Aopplication Firewall. I have been looking at this and am considering disabling connection re-use on here.
  However I am also wondering if this might be to do with the flow timeout multiplier I am using which is 5 (80 seconds). Perhaps this is too low?
  Thanks, David.

• Session cookie question?

  This is a really stupid question but i need the answer lol is a session cookie and a session the same thing? if not whats different and which is better to use to see if a user is logged on my site?

  A "session" is stored in memory on the server and is bound to a specific "sessionId". The sessionId is stored in a cookie by default. When the browser submits the cookie the webserver can use that value to link an existing session to that client.

• Stupid cookie question

  Hey, I have a question about using cookies with JSPs. I am trying to send a cookie to another server on the same domain, but for whatever reason, I can't seem to get it to work
  I create the cookie like this:
  Cookie c = new Cookie(name, value);
  c.setMaxAge(1000);
  c.setPath("/");
  c.setDomain(".mydomain.com.mx");
  response.addCookie(c);When I then forward to a test page on my server, and I can see the cookie, but the domain comes out null.
  Anyone know what I'm doing wrong?

  What do you mean the domain is null? You mean you find the cookie in the page you want to read it in by name, but calling getDomain() returns null?
  That's probably cuz, as far as I know, the domain isn't set going the other direction because that info isn't in the request. Just the name/value pair.

• Cookie question - What you can expect ? URGENT!

  Hi everybody.
  I have a few questions:
  1. Which Ascii values are excluded in Cookies?
  when I try to write the zero value ascii , I get the values 128 and 192 instead. Some thing like this also happens with space ascii character.
  2. Can we write in the Cookie file without use the set value method ?
  3. Can I use non imprimibles ascii values in a cookie value?
  Thanks a Lot !!!

  1.
  the following are reserved characters and need to be encoded.
  ";", "/", "?", ":", "@", "=" and "&"
  the space is also questionable and should be encoded.
  look up the term, URL Encoding
  you can probably create your own CODEC class using java.net.URLEncoder ?? class
  2. no, dont think so.
  3. ??

• Every site now requires I answer the cookie question every time I open the site. This can be as many as 20 cookies for a given site.

  Now every site requires me to answer questions about cookies. Even sites I have used for years. Some site may have as many as 20 cookies to answer. Can I download firefox to correct this and will i loose my bookmarks?

  You can change the cookie expire settings from "ask me every time" to "Keep until: I close Firefox"
  *Tools > Options > Privacy > Firefox will: "Use custom settings for history"
  *https://support.mozilla.org/kb/Cookies
  *https://support.mozilla.org/kb/Enabling+and+disabling+cookies
  There are also extensions that allow more precise cookie management.<br />
  You can search the Add-ons site to find one that suits you.