RE: [load balancing] SSL Pbind on Alteon 2424 - Problem?

From: Mike Terlouw <Mike.Terlouw [izzat] IonIP.com>
Date: Wed Feb 08 2006 - 11:12:15 EST

Hi Steve,
 
SSL-id based persistency is no longer a good persistency method. The current
IE version will flush established session-ids every 2? minutes forcing your
client to re-negotiate the SSL handshake with one of the available server.
This might brake the earlier established client-server binding. You can
increase the time that SSL-sessionids are stored per real on the Alteon but
I'm afraid that this is not a very solid solution. Consider an SSL offloader
and then maintain persistency based on cookies.
 
regards, Mike
 

Mike Terlouw
Network Architect

(F5 / Nortel Traffic Management)

 ion-ip b.v.
www.ionip.com
T +31 (0)318 555055
F +31 (0)318 555066
M +31 (0)6 27046338
mike.terlouw@ionip.com
Landjuweel 16-7, Postbus 225, 3900 AE Veenendaal, Nederland

**************** DISCLAIMER **************
Dit e-mailbericht is alleen bestemd voor de geadresseerde(n). Indien dit
bericht niet voor u is bedoeld, wordt u verzocht de afzender hiervan op de
hoogte te stellen door dit bericht te retourneren en de inhoud ervan niet te
gebruiken. Aan dit bericht kunnen geen rechten worden ontleend.
Openbaarmaking vermenigvuldiging, verspreiding en/of verstrekking van deze
informatie aan derden is niet toegestaan.

  _____

Van: Hendershott, Steve [mailto:shendershott@ETS.ORG]
Verzonden: woensdag 8 februari 2006 15:48
Aan: lb-l@vegan.net
Onderwerp: [load balancing] SSL Pbind on Alteon 2424 - Problem?

I seem to have a problem with the PBIND on SSL Session ID. Many times the
user in a browser will end up on the second system where they do not have an
application session. It appears like the Alteon lost track of the SSL
Session ID and sent that request on to a different server in the group.

 

The user's browser session can be a long one, but is active and keeps the
application session (JSession) alive on the server.

 

Has anyone seen any behavior where the load balancer loses the SSL Session?
Perhaps after 6 hours it gets rid of it?

 

Here is a snippet of config. Real 200 and 201, group 200, and Virtual 200
with service on 443 (https) is in question.

Thanks for any help.

 

Steve

 

=============================================

 

/* Alteon2424a

 

/c/slb

        on

/c/slb/adv

        direct ena

...

 

/c/slb/real 200

        ena

        rip nnn.nn.86.48

        tmout 30

        inter 20

        retry 3

        name "XXX"

/c/slb/real 201

        ena

        rip nnn.nn.86.49

        tmout 30

        inter 20

        retry 3

        name "YYY"

 

/c/slb/group 200

        metric roundrobin

        health httphead

        content "shortcuts.jsp"

        add 200

        add 201

        name "ZZZZ"

 

...

/c/slb/pip/type vlan

/c/slb/pip/type port

/c/slb/pip/add nnn.nn.87.41 3

/c/slb/port 1

        client ena

        hotstan ena

/c/slb/port 2

        server ena

        hotstan ena

/c/slb/port 3

        client ena

        server ena

        proxy ena

/c/slb/port 24

        client ena

        server ena

        intersw ena

...

/c/slb/virt 200

        ena

        vip nnn.nn.87.39

/c/slb/virt 200/service https

        group 200

        rport 9443

        dbind ena

        epip ena

/c/slb/virt 200/service 444

        group 200

        rport 9444

        epip ena

/c/slb/virt 200/service 8080

        group 200

 

...

/c/slb/virt 200/service 443/pbind sslid

 

 

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
Received on Wed Feb 8 13:38:27 2006

This archive was generated by hypermail 2.1.8 : Thu Feb 09 2006 - 06:39:53 EST