Re: [load balancing] FOUNDRY SERVERIRON XL FAILED IP STICK

From: Cisco (ciscoIZZATnetsyssupport.com)
Date: Tue Oct 01 2002 - 17:30:40 EDT

Next message: emilIZZATatrivo.com: "[load balancing] Re: OID for AD3 or AD2"

Previous message: Daniel Peterson: "RE: [load balancing] FOUNDRY SERVERIRON XL FAILED IP STICK"
Maybe in reply to: Cisco: "[load balancing] FOUNDRY SERVERIRON XL FAILED IP STICK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Philip. What I'm going to test is to setup AOL ip addreses to be redirected to only one real server.

Regards

Luis

  ----- Original Message -----
  From: Philip Goldie
  To: lb-lIZZATvegan.net
  Sent: Tuesday, October 01, 2002 2:22 PM
  Subject: RE: [load balancing] FOUNDRY SERVERIRON XL FAILED IP STICK

Luis,

  The problem is with the AOL Mega Proxies, not the browsers. Basically all AOL users (and those from
  other ISPs) are proxied behind farms of Caches which results in changes in Source IP addresses over time.
  This is why the IP Hashing model you're using is breaking.

Forcing the web server to re-negotiate the SSL ID is not an answer as the switch still has no way of tracking
the changing ID as far as I'm aware.

  The only answer is Cookies, although in an SSL environment, there is no way for a switch to read and parse
  the cookie values unless it (or a tertiory device) is terminating the SSL Session. In Alteon world we have an
  SSL Accelerator (the Nortel ASA-310 and ASA-310) to do this. Not sure how Foundry solves this issue. - anyone ?

Phil.

  -----Original Message-----
  From: Cisco [mailto:ciscoIZZATnetsyssupport.com]
  Sent: 01 October 2002 18:43
  To: lb-lIZZATvegan.net
  Subject: Re: [load balancing] FOUNDRY SERVERIRON XL FAILED IP STICK

Thanks Phil for your posting.

Definitely I'm not in control of the user DESKTOPs and still I don't understand why I'm getting problems only with AOL. From what you said I'm assuming that my problem is the AOL browser renegotiating the SSL session to fast. If that would be the case I heard you can force the WEB server to re negotiate the SSL session before the browser does and maybe that will fix the problem. Are you aware of this or anyone have tried it before ????

Foundry supports SSL SESSION ID and COOKIE SWITCHING. Can I use the latter to maintain sessions accross my servers ???

Thanks

Luis

    ----- Original Message -----
    From: Philip Goldie
    To: lb-lIZZATvegan.net
    Sent: Tuesday, October 01, 2002 11:42 AM
    Subject: RE: [load balancing] FOUNDRY SERVERIRON XL FAILED IP STICK

Luis,

    The only real model for dealing with persistence either in SSL environments or plain HTTP is cookies. This is
    not a Foundry limitation, just the nature of the protocols, applications and infrastuctures which make up the
    Internet :-(

    One alternative is to use SSL Session ID as a persistence mechanism, but this is often proved fruitless as
    most browsers renegotiate the SSL ID periodically. There is a fix for this, but only if you're in control of the
    desktop of the user base, which it sounds like you're not.

Phil.

    -----Original Message-----
    From: Cisco [mailto:ciscoIZZATnetsyssupport.com]
    Sent: 01 October 2002 15:31
    To: lb-lIZZATvegan.net
    Subject: [load balancing] FOUNDRY SERVERIRON XL FAILED IP STICK

I recently setup our Foundry ServerIron XL for SERVER LOAD BALANCING. This is the configuration we have

    server real test1 65.165.34.11
     port http
     port http keepalive
     port http url "HEAD /"
     port ssl
     port ssl keepalive
    !
    server real test2 65.165.34.12
     port http
     port http keepalive
     port http url "HEAD /"
     port ssl
     port ssl keepalive
    !
    server virtual test 65.165.34.10
     port http sticky
     port ssl sticky
     track-group http 443
     bind http test1 http test2 http
     bind ssl test1 ssl test2 ssl

The load balancing works great but I'm having a lot of problems with HTTP and SSL sessions maintained to the same real server (STICKYNESS). It seems to work fine with most of the websites but I'm having problems with users coming from AOL. Now I heard of those problems before and I don't know if it is due to the AOL mega proxy or the AOL browser. Does anyone know what could it be happening. It seems that the IP stickyness doesn't works for these site. Does anyone knows if Foundry supports another type of sticky feature not based in IP address to maintain real server sessions ?
ANY HELP WILL BE GREATLY APRECIATED.

Luis Vazquez
ciscoIZZATnetsyssupport.com

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com

Next message: emilIZZATatrivo.com: "[load balancing] Re: OID for AD3 or AD2"
Previous message: Daniel Peterson: "RE: [load balancing] FOUNDRY SERVERIRON XL FAILED IP STICK"
Maybe in reply to: Cisco: "[load balancing] FOUNDRY SERVERIRON XL FAILED IP STICK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Oct 01 2002 - 17:37:02 EDT