Question on CSS cookie sticky

Similar Messages

• Question about when L3 sticky information is removed on CSS

  Hi everyone,
  I have a question about L3 sticky on CSS.
  I understand L3 sticky takes effect on the following situations,
  1: until expiring inactive timer
  2: until sticty table full
  and
  3: until the connection disconnect by receiving RST or FIN from client or real server
  The "3:" means that CSS maintains sticky connection between specific client IP address
  to real server (L3 stickty) when CSS has its information on sticky table.
  And CSS has removed it from sticky table if CSS receive RST or FIN even if the inactive timer
  abot its connection has not expired.
  That is, CSS removed L3 sticky information from sticky table when CSS receive
  RST or FIN from client or real server even if inactive timer has not expired and
  in this situation, the next new connection from same client IP address is processed with
  normal load balancing, in the result, the new connection from same client IP address
  forwards other real server.
  Is my understanding correct ?
  Or CSS maintains L3 sticky information on the sticky table until the situation meets
  "1:" or "2:" even if CSS receive RST or FIN ?
  Your information would be appreciated.
  Thank you in advance.
  Best Regards,

  What point number 3 means is the layer 3 sticky will take effect when a connection disconnect message is received from a client or a real server. This connection disconnect is received in the form of RST or FIN messages from the real server or the client.

• Http cookie stickiness

  Hi,
  I have an http session between Web Server farm and Application Server Farm.
  After firt http request, Application Server send this pck (see file http_header.txt ).
  So, I configured http cookie Stickiness with Dynamic cookie learning:
  sticky http-cookie JSESSIONID Cookie-Bea-Group
  cookie offset 0 length 64
  timeout 70
  timeout activeconns
  replicate sticky
  serverfarm BEA8-SFARM-3
  But it doesn't work. But if web server received an answer from Application server with only one set-cookie
  Set-Cookie:JSESSIONID=xxxxx
  It work
  if in the http header there are two set-cookie doesn't work.
  I need stick the session based only on JSESSIONID cookie.
  Is it possible and how?
  Thanks
  Dino

  Hi Dear,
  The ACE appliance/module has the dynamic cookie feature.
  You then just need configure the cookie name and the box does the rest.
  When static cookies are used there will only be one entry in the cookie database per real server. So, if ace-cookie is the only cookie defined and there are two servers, there will only be two entries in the sticky database, even if there are thousands of user sessions.
  Dynamic cookie learning is another option for keeping the SAP session persistent. The sticky table can hold a maximum of four million dynamic entries (four million simultaneous users). The key is choosing the right cookie name.
  Lets take an example of SAP sets a number of cookies for various purposes (note the ace_cookie was set by Cisco ACE using cookie insert, not SAP), but the saplb_* cookie is set by SAP specifically for load-balancers. It has the format saplb_=()[].
  Here, the cookie value also helps to verify which server instance and physical node you are connected to.
  The configuration process for cookie learning is similar-with a few changes in the syntax.
  Example configuration:
  ssticky http-cookie saplb_* ep-cookie
  replicate sticky
  serverfarm EP-HTTP
  policy-map type loadbalance http first-match ep-policy
  class class-default
  sticky-serverfarm ep-cookie
  In the above examples, the replicate sticky command is used so that the cookie information is replicated to the standby Cisco ACE context. With this implementation, session persistence is maintained in the event of a failover. The default timeout is one day.
  The show sticky data command retrieves the active sticky entries that have been dynamically learned. The value shown is not the actual cookie value, but a function of it created by Cisco ACE.
  Example configuration:
  switch/SAP-Datacenter# show sticky data
  sticky group : ep-cookie
  type : HTTP-COOKIE
  timeout : 100 timeout-activeconns : FALSE
  sticky-entry rserver-instance time-to-expire flags
  ---------------------+--------------------------------+--------------+-------+
  6026630525409626373 SAP-EP:50000 5983
  Load Balancing Identifier
  The Load Balancing Identifier used for Load balancing to Web AS Java instances has the following syntax.
  saplb_=()[]
  The cookie is set on path=”/” and domain=.
  The same syntax applies if the identifier is used via url rewriting.
  The applies only to the J2EE Engine where session stickyness on a process (JVM) level is required. The uniquely identifies a set of instances. If there are no special group definitions then the special group identifier '*' is used. This will be the case for a default installation.
  The SAP Web Dispatcher checks for path prefix match and thereby determines group name. This allows to obtain from the set of dispatch cookies or to do initial load balancing for the group. The Java dispatcher receives the request and also checks for the group. The Java dispatcher then reads from the appropriate dispatch cookie or performs initial dispatch on his local nodes.
  The CSS does not have the possibility to learn dynamic cookie value created on the server.
  So, you can either use arrowpoint cookies which is quite simple or have your server team add a static value to the jsessionid in order to identify the server.
  We can then configure the CSS to locate this static value and match it to a service.
  If possible kindly rate.
  Keep in touch.
  Kind regards,
  Sachin Garg

• CSS cookie insertion

  Hi everyone,
  I have a question about the cookie insertion.
  I understand there are two method of inserting cookie,
  1: by Server
  2: by CSS
  and those method can not be configured simultaneously, that is, if the cookie inserted by server,
  CSS can not insert the cookie for the connection.
  Because if the cookie inserted by server and by CSS, the server can not accept the cookie
  information.
  For example,
  Server inserts the cookie "0123456789"
  and also
  CSS inserts the cookie "ARPT=bbbbbbbsssssttttttt"
  Server expects the cookie information is "0123456789" but the cookie information reaches
  to the server is "ARPT=bbbbbbbsssssttttttt;0123456789".
  So the server can not recognize the HTTP connection includes the cookie "ARPT=bbbbbbbsssssttttttt;0123456789"
  because the server only understands the cookie "0123456789".
  Does my understand is true ?
  Or in this situation, does CSS remove the own inserted cookie (ARPT...) by understanding that
  "the server also inserts cookie so I (CSS) need to remove cookie" ?
  Your information would be greatly appreciated.
  Best regards,

  just use a different cookie name on the server.
  ARPT is the one by default on the CSS and it stands for ARrowPoinT.
  If your server uses a different cookie name like SERVER, then both cookie can exist at the same time.
  The client would received
  ARPT=bbbbbbbsssssttttttt
  SERVER=0123456789
  and it will also send this data when sending the next request.
  The CSS will detect the ARPT=... value and use it and then pass all the data to the server.
  The server will also see its own cookie SERVER=.....
  Gilles.

• Catalyst 6500 CSM-S Cookie stickiness timout ?

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hi, anyone able to help with this ?
  We have a CSM-S sitting in a 6513, at the moment we have IP stickiness applied for a Vserver/Serverfarm. The back end product vendor advises that cookie stickiness would be more appropriate for their application.
  I have been scratching my head around the timeout of the inserted cookies; whatever I do they persist seemingly indefinitely, for example:
  Just a test configuration with a 10minute sticky timout.
  serverfarm applicationA
    nat server
    nat client applicationA_pool
    failaction reassign
    real 1.1.1.1
     inservice
    real 1.1.1.2
     inservice
    health retries 1 failed 120
    probe applicationA_probe
  sticky 1 cookie applicationA_sticky insert timeout 10
  vserver applicationA-HTTP
    virtual 2.2.2.10 tcp www
    unidirectional
    serverfarm applicationA
    sticky 10 group 1
    no persistent rebalance
    inservice
  Doing show mod csm 1 sticky
  group   sticky-data              real                  timeout
  1       cookie F5BF7115:F80EA688 1.1.1.1           0
  1       cookie 4AFC972B:BB722437 1.1.1.2           0
  Then a show mod csm 1 sticky config
  Group  NumEntries Timeout  Type
  1             82                           10        cookie-insert applicationA_sticky
  When browsing to the VIP I see the application page via one of the reals. For the sake of the test I am using round-robin. Without cookies applied my browser will bounce between reals (I turned off persistent rebalance during testing) as expected.
  With a sticky cookie inserted the browser stays on one of the real’s, however the timeout which I have applied does not work. The client will stay stuck to the real almost indefinitely (the actual cookie expiry is 2099!).
  The online documentation advised that the method I am using should work as expected:
  Quote
  This example shows how to configure a virtual server named barnett, associate it with the server farm named bosco, and configure a sticky connection with a duration of 50 minutes to sticky group 12:
  Router(config)# mod csm 2
  Router(config-module-csm)# sticky 1 cookie foo timeout 100
  Router(config-module-csm)# exit
  Router(config-module-csm)#
  Router(config-module-csm)# serverfarm bosco
  Router(config-slb-sfarm)# real 10.1.0.105
  Router(config-slb-real)# inservice
  Router(config-slb-real)# exit
  Router(config-slb-sfarm)#
  Router(config-slb-sfarm)# vserver barnett
  Router(config-slb-vserver)# virtual 10.1.0.85 tcp 80
  Router(config-slb-vserver)# serverfarm bosco
  Router(config-slb-vserver)# sticky 50 group 12
  Router(config-slb-vserver)# inservice
  Router(config-slb-vserver)# exit
  Router(config-module-csm)# end
  End Quote
  I am guessing that sticky group 12 / 1 is a typo
  Looking at the documentation, sticky can also be applied not in the vserver config but in a policy (this is how we are doing IP stickiness). I have tried both methods. Same result.
  I am natting the client address to a private pool which then talks to the reals (and back). Would'nt expect this to be any issue.
  The CSM is running Software version: 4.3(5).
  Any help appreciated.

  Good mornign Simon,
  The behavior you are seeing is the expected one.
  When the CSM is configured for cookie insertion, a static cookie value is created in the sticky table for each server. This is the cookie that is being inserted, using as expiration date the one defined in the COOKIE_INSERT_EXPIRATION_DATE variable.
  With this stickiness method, there is no need to use a timeout, because, since the sticky table will only contain one entry for each server, it will never become full.
  Quoting from the documentation:
  Note     The
  configurable timeout values are not applied when using cookie insert. 
  You can adjust the timeout value using the environment variables.
  If you don't want to keep the cookies in the client for that long, another approach you can use is setting an empty date in the COOKIE_INSERT_EXPIRATION_DATE variable. When doing that, the cookie will be inserted without an expiration date, so it will be cleared when the browser is closed.
  I hope this answers your question
  Regards
  Daniel

• Cisco GSS - Cookie Stickiness

  Hi,
  What all the parameters can be used for stickiness across different data centers via Cisco
  GSS. Is cookie stickiness possible.
  We are planning to implement an Active/Active site and the
  internet user requests will be load balanced across two sites. Since most of the users use ADSL connections, the source IPs are dynamic and changes within minutes and even seconds. If the stickiness would be configured based on IPs on the GSS, the sessions would be lost due to continuous IP changes and the user would be randomly directed to different data centers.
  Please suggest how could stickiness be achieved without IPs.
  Thanks.

  Hello there,
  Stickiness on the GSS is based on IP address.  There is local sticky, which means each GSS in the cluster maintains its own sticky database and doesn't share it with the other GSS in the cluster.  Global sticky is when each still has its own sticky database, but they update each GSS in the cluster so that if a request comes into a different GSS from the same host IP and requests the same domain, it will still be stuck to the same Answer.
  It does not matter if your clients are frequently changing their IP addresses, because an Internet user's IP address is not used, or known, by the GSS.  To the GSS, a client is actually an Internet user's D-proxy, or local DNS server.  Here's how it works:
  Internet user needs to resolve FQDN to IP address
  Internet user sends DNS query to his/her DNS server (D-proxy)
  D-proxy (which typically has a static IP address) makes request throughout DNS infrastructure sourced by its own IP address
  Eventually, the DNS request ends up at a GSS
  GSS checks to see if it already has a sticky entry for the IP address of this D-proxy
  If sticky entry exists, then the same Answer is given as last time
  If sticky entry does not exist, GSS will use configured method to choose Answer, return it, then create sticky entry
  If you are using global sticky, then the GSS will update the other GSS in cluster so they add the entry to their databases
  So as you can see, the Internet user's IP address has no relevance to the GSS's operation.
  I hope this helps.  Let me know if you have any questions.
  Thank you,
  Sean

• Cookie stickiness configuration issue with Cisco ACE

                     Hi,
  We have configured a ACE (in standby mode) with ip netmask stickiness and wanted to configure cookie stickiness for a remedy server placed behind the ace. BMC has said that they use JSESSIONID field on the remedy application and i want to know the procedure for configuring ace to see this field and deploy cookie stickiness feature on the ace.
  We tried configuring the ace to learn the cookie string dynamically and tried to insert the cookie in the server response to the client but both methods have failed and the user is not able to see the remedy app webpage in both occassions.
  Are there any pre-requisites to be configured on the ace before configuring cookie stickiness feature?   We would appreciate your timely response.
  Thanks in advance.

  Hi,
  Refer the document below for sample configuration. If this still doesn't work a full config and sniffer capture required to verify this.
  http://docwiki.cisco.com/wiki/Session_Persistence_Using_Cookie_Learning_on_the_Cisco_Application_Control_Engine_Configuration_Example
  Regards,
  Siva

• Question about setting cookies and custom authentication

  I have a question about setting cookies.
  I have two different 'projects' in HTMLDB - we will call them App1 and App2.
  I also have two different connection configurations setup in the DADs.conf file. - we will call them Connect1 and Connect2.
  App1 is setup to use database authentication (no user is specified in the DAD) and uses Connect1. Once the user successfully logs in, we set a username cookie (this is a persistent connection).
  We created a custom authenticatoin scheme for App2 - this scheme checks for the username cookie (set by App1). We would like for App2 to use Connect2 (HTMLDB_PUBLIC_USER is the default user specified and it uses connection pooling).
  Is it possible to set a cookie from App1, Connect1 for App2, Connect2 - then redirect to App2 and pick up that cookie?
  Here is an example of what we are trying to accomplish:
  A user loggs into App1, we set a cookie, and the user is redirected to App2. If the cookie exists, we allow them access to the home page in App2, if no cookie, we redirect back to a 'Login Failed' page in App1. We don't want App2 to use the same database connection as App1 though, we need App2 to use connection pooling.
  Is this possible? OR...Is there a better way to accomplish what we want to do?
  This is an enhancement to an existing app. Our requirements are to use Database Authentication (setup where pass expires after 60 days or so, cannot reuse last 3 passwords, etc.) - which is already setup and being used by other applications in our organization. All of our users have accounts in the database. We don't want users to have a new username/pass - and we don't want to manage a separate group for HTMLDB apps.
  The existing application uses HTMLDB's built in authentication - which uses database username/pass, and it uses connection pooling, but we cannot handle the pass expire stuff in it, unless there's something we're not seeing or understanding - at least that's how our DBA explained it to us.
  Any help with this will be appreciated so much. I can send you the code we have if needed.
  Thanks!

  Same problem here.  I have so many problems with this remote app.  Is there an iTunes API? I would like to write my own remote app that actually works.

• CSS Cookie Handling

  Anyone know of a way to configure the CSSs to handle dynamic server written cookies? Basically I have two DMZs which are each load balanced with a pair of CSSs. When using arrowpoint cookies on both pairs to keep session, I think one is overwriting the other or it's not writing the second cookie because the CSS cookie (ARPT) already exists. The app servers write a cookie so I could key off that but it's dynamic and I only see how to configure to read other cookies if the content is static. Anyone know how to make the second pair of CSSs write arrowpoint cookies with a different name or how to configure it to read dynamic cookies written by a server? TIA

  Well, I was close to finding the answer on my own. Should've spent more time reading and less time posting. LOL
  Arrowpoint cookie names can be changed with the "arrowpoint-cookie name" command.
  A hash can be run on a cookie as opposed to an absolute value with the "string operation" command.
  Cheers!

• Csm cookie sticky

  Hello Gilles,
  I have setup cookie stickiness using the following config:
  sticky 1 cookie JSESSIONID timeout 100
  serverfarm xxxxx
  real 192.168.1.1
  health probe HTTP01
  inservice
  real 192.168.1.2
  health probe HTTP02
  inservice
  policy pol_IOW_stick
  serverfarm xxxxxx
  sticky-group 1
  vserver yyyyyy
  virtual 192.168.1.5 tcp 0
  serverfarm xxxxx
  replicate csrp sticky
  replicate csrp connection
  persistent rebalance
  slb-policy POL_IOW_STICK
  inservice
  Load balancing is working to the real servers and I can see the policy being matched, however,
  I never see any entries in the sticky table.
  This is a test scenario and all connections are being proxied through 2x proxy servers. Should I
  not see at least the ip addresses of both proxy servers in the sticky table?
  We are running version CSM v3.1(4)
  Thanks

  you need 4.x to see the sticky entry when using something else than sticky source ip.
  Stickyness shoud work, it's just the show commands that requires CSM version 4.x
  Regards,
  Gilles.

• Shouldn't ACE 4710 ignore cookie stickiness when the server is down?

  Hello,
  I have implemented sticky load balancing with cookies. The problem is that if one of my two servers in the server farm is down (and even if the ace recognizes it as down via a probe) it keeps sending the requests to the server that is down, obviously because it has set a cookie for this server,
  Shouldn't the ACE ignore the cookie when the server is down?
  Is there a command to ignore cookie stickiness if the server is down? Is there another workaround?
  an example of my config is
  serverfarm host SF_Ebanking
    rserver RS_IAS_1 XXXX
      conn-limit max 4000000 min 4000000
      probe http_probe_ebanking
      inservice
    rserver RS_IAS_2 XXXX
      conn-limit max 4000000 min 4000000
      probe http_probe_ebanking
      inservice
  sticky http-cookie ACE_COOKIE ebanking_sticky
    cookie insert
    replicate sticky
    serverfarm SF_Ebanking
    16 static cookie-value "server01" rserver RS_IAS_1
    24 static cookie-value "server02" rserver RS_IAS_2
  thanks,
  george

  This is not as obvious as you seem to believe.
  ACE will not select a server that is down !!!! Even if the cookie points to that server.
  What might be happening is that the connection from the browser to the ACE has not been killed, so when client sends a new request it reuses the existing connection and ACE does allow an existing connection to be maintain with a dead server by default.
  Try the command 'failaction purge' under the serverfarm.
  This should kill the active connections with the dead server and allow a new connection to be open with the other server even if the cookie points to the dead one.
  Regards,
  Gilles.

• Arrowpoint cookie + stickiness

  Hi i have a question regarding advance balance arrowpoint cookie.
  The stickiness works fine unless the server goes down.When the server is dying and the user is making a request to the dying server then the CSS sends a RST but the client tries to reach still the old server. The stickiness is switching over to the next server only if I stop the pending request and I make a new request. Have you a suggestion ???
  Here the configuration of the content:
  content testcontent
  protocol tcp
  vip address 194.41.224.138
  redundant-index 1000
  add service h00bhm
  add service h00bhs
  arrowpoint-cookie expiration 00:00:30:00
  port 80
  url "/*"
  advanced-balance arrowpoint-cookie
  balance aca
  active

  if you have a persistent connection active when the server dies, the next request from the client is not loadbalanced and still forwarded to the server.
  This is the normal behavior.
  You can try the command 'no persistent' in the content rule and the command 'persistent reset remap' in global config.
  [might be persistence instead of persistent - never know which one is the correct spelling].
  Regards,
  Gilles.

• CSS restore sticky ssl

  Hi everyone,
  I am facing a strange issue. I have a SSLv3 service running on two servers behind a pair of(active-standby) CSS 11501, wich do advance-balance ssl. Few days ago I noticed that the CSS stopped the LB and start sending he request to only one server( both alive). I think that is hapening due to the SSL-layer 4 fallback. How do I verify it , and restore stickyness with session ID?
  Thanks in advance
  David

  Further observations:
  issueing the commnd ssl-l4-fallback disable, restores the load balance. This means, I think, that the l4-fallback was activated. The questions remaiins, why, if we are using ssl v3? why the l4 sticky table has no entries. Here is a ssldump example:
  New TCP connection #2: 172.16.20.1(46311) <-> 172.26.80.1(3034)
  2 1 0.0011 (0.0011) C>SV3.0(95) Handshake
  ClientHello
  Version 3.0
  random[32]=
  46 8a 31 6f 87 94 35 a8 30 16 42 5e e9 6e 31 c0
  d6 17 ac eb 92 9c 53 db 85 92 df 30 0e 67 90 90
  cipher suites
  Unknown value 0x39
  Unknown value 0x38
  Unknown value 0x35
  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  SSL_RSA_WITH_3DES_EDE_CBC_SHA
  Unknown value 0x33
  Unknown value 0x32
  Unknown value 0x2f
  SSL_DHE_DSS_WITH_RC4_128_SHA
  SSL_RSA_WITH_RC4_128_SHA
  SSL_RSA_WITH_RC4_128_MD5
  SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
  SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
  SSL_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
  SSL_DHE_RSA_WITH_DES_CBC_SHA
  SSL_DHE_DSS_WITH_DES_CBC_SHA
  SSL_RSA_WITH_DES_CBC_SHA
  SSL_DHE_DSS_WITH_RC2_56_CBC_SHA
  SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
  SSL_RSA_EXPORT1024_WITH_RC4_56_MD5
  SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
  SSL_RSA_EXPORT_WITH_RC4_40_MD5
  compression methods
  NULL
  2 2 0.0025 (0.0014) S>CV3.0(74) Handshake
  ServerHello
  Version 3.0
  random[32]=
  46 8a 19 d6 a8 f5 88 8e d4 d5 16 06 df 1e 8e e5
  0e 7c 1b f2 f8 bb b9 c8 7d c6 e2 f8 fe e6 7f b0
  session_id[32]=
  db 23 61 fa 35 5a ef 0e da 3d be b0 c2 85 39 9f
  4d b1 75 5d 5b ef c8 46 bc 4d db ab 31 23 d6 d4
  cipherSuite SSL_RSA_WITH_3DES_EDE_CBC_SHA
  compressionMethod NULL
  2 3 0.0025 (0.0000) S>CV3.0(1147) Handshake
  Certificate
  2 4 0.0025 (0.0000) S>CV3.0(4) Handshake
  ServerHelloDone
  2 5 0.2346 (0.2320) C>SV3.0(260) Handshake
  ClientKeyExchange
  EncryptedPreMasterSecret[256]=
  1b a5 47 46 7b 9a 8b 84 88 d4 54 ba 23 c7 7a 31
  db 8a 74 c2 02 3b 8b 50 75 c3 c8 c0 38 4c 18 e8
  0a e8 c8 47 39 ff 9b 3c 6a cc d3 21 78 69 e6 50
  88 55 e8 b3 d3 b1 2a 04 b3 ba 66 e4 c8 49 f4 8e
  a0 bd 74 60 e9 f2 0c a1 25 47 03 4e 6c ed 96 52
  de 2a 9a 60 29 c5 f6 21 c8 3e 58 ef af 3f 12 b2
  ee 34 c0 70 12 d0 64 30 28 65 ed fb ff 65 f2 de
  d0 bf cd e6 26 79 6f 3c 61 5f df da bf ac 4a cf
  4c 0e 0c 66 44 e1 b2 a3 34 f2 27 75 f0 e4 e7 a4
  48 06 76 93 73 0d 09 75 35 ea a1 91 d9 c8 ad 58
  b9 1f 45 bf c6 09 61 cb 2d 75 4a ba ed 45 15 44
  0f fc 9e 5b 90 e7 b2 86 15 1c 43 a5 52 0d c7 1e
  d8 81 42 db 77 35 99 4d 0d 5b 20 e6 dd c5 a1 7d
  64 9a 13 d2 99 b7 1d 94 a7 fe ce b6 67 7d df b9
  25 fb 27 d2 6e 90 49 54 b9 c1 10 32 eb 42 df 43
  b6 1c 94 4e ee 0b ca 29 27 8a 3d b8 fe 59 00 f4
  2 6 0.2346 (0.0000) C>SV3.0(1) ChangeCipherSpec
  2 7 0.2346 (0.0000) C>SV3.0(64) Handshake
  2 8 0.2708 (0.0362) S>CV3.0(1) ChangeCipherSpec
  2 9 0.2708 (0.0000) S>CV3.0(64) Handshake
  2 10 0.3074 (0.0365) C>SV3.0(40) application_data
  2 11 7.9036 (7.5961) S>CV3.0(24) application_data
  2 12 7.9036 (0.0000) S>CV3.0(104) application_data
  2 13 7.9036 (0.0000) S>CV3.0(24) Alert
  2 7.9036 (0.0000) S>C TCP FIN
  2 14 7.9464 (0.0427) C>SV3.0(24) Alert
  2 7.9524 (0.0059) C>S TCP FIN
  As you can see session ID is sent correctly.
  David

• CSS bad stickiness

  Hi all,
  seems we have some problems with stickiness src-ip on a CSS 11506. 6 clients are calling 4 servers.
  The four servers are balanced this way:
  content Prodotti_9503
  add service Prodotti_BEA_WLS_9501_1
  add service Prodotti_BEA_WLS_9501_2
  protocol tcp
  port 9503
  vip address 10.216.86.153
  advanced-balance sticky-srcip
  add service Prodotti_BEA_WLS_9501_206
  add service Prodotti_BEA_WLS_9501_207
  active
  All the traffic goes to Prodotti_BEA_WLS_9501_1 regardless of the client source IP.
  All the servers are active.
  Do you think this is due to the limited number of clients (the clients are frontend web servers)?
  Do you know how the CSS hashing algorithm works in detail?
  Thanks in advance.
  Fausto

  I just upgraded from a set of 11800's to 11506's. I'm running 7.20 build 206. We are doing a data center migration so it was a perfect time to upgrade and break my load-balancing out between internal and external users.
  We made the change two nights ago and I spent most of the next day and yesterday troubleshooting some css issues that cropped up. One was with our online bill payment app and the other an agent and reseller site. Both have standard port 80 URL's that then redirect to https for login. Both were configured for sticky-srcip-dstport and immediately began having issues. If you went to servers directly everything worked fine.
  Because of the way the redirects are setup we had a hard time getting them working when the sites were first setup. The port 80 rule listens, hits a server then it redirects back to the VIP address and the port 443 rule then reflects it back to the server. After the migration it appeared that intermittenly users would be redirected back to a server that didn't know about their session and browser errors would occur. I was able to set both of those to use ssl session ID and it fixed the issue.
  I have another application that seems to be doing something very similar but it has no ssl piece so advanced-balance ssl will do no good with that one. I'm still searching for a workaround.
  If anyone here has any suggestions they would be greatly appreciated.

• CSS - SSL Stickiness

  Gilles,
  Could you please advice the CSS content configured with stickiness SSL ID and balance method round robin is recommended configuration or not.Are there are any issues with SSL stickiness with the browsers i.e IE .
  Note:- I am not using SSL Module in the CSS.
  Thanks in advance...

  There are two issues
  Some versions of IE (5.0, 5.5 --check http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q265369) will
  cause the client to change its SSL ID every 2 minutes and this will break
  stickyness with application ssl and advanced balance SSL as this is layer 5
  stickyness based on SSL session ID. A sniffer trace from the client will
  show the ID field change.
  You have to be aware that SSL stickiness will only work with SSL v3,
  because it comes with the session ID not encrypted. SSL v2 comes with the session ID encrypted and you can't do stickyness
  based on that version.So your appliaction servers must be using SSL v3, if you want to use SSL ID based stickiness.
  Hope it helps
  Syed Iftekhar Ahmed