RE: [load balancing] Alteon - Client Web Proxy Problems

From: Lance McCallum (
Date: Thu Jul 15 2004 - 10:19:46 EDT

  • Next message: Basil Hussain: "RE: [load balancing] ServerIronXL - Real servers failing L4 check for no apparent reason"

    Did you write up an analysis on the weakness of site cookies and HTTP certs for site-specific domain names?    I have been involved in several  e-commerce deployments that required persistence and we have had good success with this solution.

    Maybe we are doing something different or we are not addressing  the specific issue you have uncovered.

    At 01:55 PM 7/14/2004 -0700, Pete Tenereillo wrote:

    OK, looks like you just changed it now, in fact I can t even get to the CNAME any more, but the more basic question I guess do you have the Alteons themselves configured for RR? i.e. do you intend to balance traffic between sites? If so, you are going to definitely have issues with some ISPs/caches. It s pretty much the opposite problem to that described in the documents. The silver lining in the browser DNS cache is that it provides 30 min of persistence for free . Sounds like this problematic proxy is not one of those that caches TTLs for a fixed amount of time.


    There is a feature called DNS persistence that is available in the Alteon Content Director, but not in the standard WebOS. If you are OK with using single A records, that is probably what you need. I wrote a post that described it some time ago.


    There s also a really stupid solution peddled mostly by F5 et all which uses site cookies and HTTP certs for site-specific domain names. Alteon can offer this too with the integrated SSL offloader or even the standalone appliance, but they don t really push it and I m not sure it 100% works yet (there were issues when I left the company).





    From: [] On Behalf Of Giorgio Solari V.
    Sent: Wednesday, July 14, 2004 1:35 PM
    Subject: RE: [load balancing] Alteon - Client Web Proxy Problems


        Hi Pete, the configuration is set to answer only one IP. Thanks for the documents. But the problem persist.

    On Wed, 2004-07-14 at 15:24, Pete Tenereillo wrote:

    Giorgio, I just did a sniff, you are returning multiple A records on each resolution (the default on the Alteon, and most GSLBs for that matter). Likely either BIND on the Squid box, or the caching nameserver the Squid box is pointed at, is RRing those. You can shut off multiple A records on the Alteons, using the command:
    but then you will need to live with a reduced level of HA described here:
    Given it's ScotiaBank, HA is probably the primary objective of doing multisite in the first place.
    You can mitigate those potential problems somewhat by doing something like this:
    but you would still need to return single A records for the site-specific URLs (or you would be back to the original issue).
    The only bulletproof solution is to sync state between sites so that it does not matter what site a subsequent SSL session goes to. I know that's tough to do right.


    From: [] On Behalf Of Giorgio Solari V.
    Sent: Wednesday, July 14, 2004 11:25 AM
    Subject: [load balancing] Alteon - Client Web Proxy Problems


        Hello to all people. I nedd great aid. I formed two
    Alteon Application Switch 2208 (Version 21.0.4) successfully doing GSLB. The services are http and https. The problem I have is from certain clients that are behind some Web Proxy. Those proxy do not maintain the ssl (tcp) connection, changing the servant to the other alteon.

        Let me show a real log from a Squid proxy server which have the problem:

    1089670996.757   7955 TCP_MISS/200 564 CONNECT - DIRECT/ -
    1089670998.789    983 TCP_MISS/200 3145 CONNECT - DIRECT/ -
    1089671010.119   7658 TCP_MISS/200 2160 CONNECT - DIRECT/ -
    1089671010.550   8564 TCP_MISS/200 28085 CONNECT - DIRECT/ -
    1089671010.556   8306 TCP_MISS/200 32611 CONNECT - DIRECT/ -
    1089671010.556   8106 TCP_MISS/200 4071 CONNECT - DIRECT/ -
    1089671100.271   2795 TCP_MISS/200 3145 CONNECT - DIRECT/ -
    1089671118.082  16450 TCP_MISS/200 46618 CONNECT - DIRECT/ -
    1089671118.090  16229 TCP_MISS/200 14760 CONNECT - DIRECT/ -
    1089671118.090  11676 TCP_MISS/200 6357 CONNECT - DIRECT/ -
    1089671118.091  11675 TCP_MISS/200 760 CONNECT - DIRECT/ -
    1089671119.789    369 TCP_MISS/200 3145 CONNECT - DIRECT/ -
    1089671130.362   9426 TCP_MISS/200 9334 CONNECT - DIRECT/ -
    1089671130.384   9672 TCP_MISS/200 27865 CONNECT - DIRECT/ -
    1089671165.589  36409 TCP_MISS/200 27621 CONNECT - DIRECT/ -
    1089671165.603  36411 TCP_MISS/200 3721 CONNECT - DIRECT/ -
    1089671167.220    442 TCP_MISS/200 3157 CONNECT - DIRECT/ -
    1089671176.455   4578 TCP_MISS/200 5088 CONNECT - DIRECT/ -
    1089671176.519     39 TCP_MISS/200 39 CONNECT - DIRECT/ -

        I have tested a lot of proxy servers including squid, without problems. Somebody can help me please?. This it is the only ponit of fail that I have.




    Giorgio Solari V. <>
    Cientec S.A.

    Giorgio Solari V. <>
    Cientec S.A.


    Lance McCallum
    Product Line  Manager
    GSS and SCA
    1414 Massachusetts
     Boxborough, MA
    ____________________ The Load Balancing Mailing List Unsubscribe: Archive: LBDigest: MRTG with SLB: Hosted by:

    This archive was generated by hypermail 2.1.4 : Thu Jul 15 2004 - 10:30:52 EDT