Re: [load balancing] FOUNDRY SERVERIRON XL FAILED IP STICK

From: Cisco (ciscoIZZATnetsyssupport.com)
Date: Tue Oct 01 2002 - 17:30:40 EDT

  • Next message: emilIZZATatrivo.com: "[load balancing] Re: OID for AD3 or AD2"

    Thanks Philip. What I'm going to test is to setup AOL ip addreses to be redirected to only one real server.

    Regards

    Luis

      ----- Original Message -----
      From: Philip Goldie
      To: lb-lIZZATvegan.net
      Sent: Tuesday, October 01, 2002 2:22 PM
      Subject: RE: [load balancing] FOUNDRY SERVERIRON XL FAILED IP STICK

      Luis,

      The problem is with the AOL Mega Proxies, not the browsers. Basically all AOL users (and those from
      other ISPs) are proxied behind farms of Caches which results in changes in Source IP addresses over time.
      This is why the IP Hashing model you're using is breaking.

      Forcing the web server to re-negotiate the SSL ID is not an answer as the switch still has no way of tracking
      the changing ID as far as I'm aware.

      The only answer is Cookies, although in an SSL environment, there is no way for a switch to read and parse
      the cookie values unless it (or a tertiory device) is terminating the SSL Session. In Alteon world we have an
      SSL Accelerator (the Nortel ASA-310 and ASA-310) to do this. Not sure how Foundry solves this issue. - anyone ?

      Phil.

      -----Original Message-----
      From: Cisco [mailto:ciscoIZZATnetsyssupport.com]
      Sent: 01 October 2002 18:43
      To: lb-lIZZATvegan.net
      Subject: Re: [load balancing] FOUNDRY SERVERIRON XL FAILED IP STICK

      Thanks Phil for your posting.

      Definitely I'm not in control of the user DESKTOPs and still I don't understand why I'm getting problems only with AOL. From what you said I'm assuming that my problem is the AOL browser renegotiating the SSL session to fast. If that would be the case I heard you can force the WEB server to re negotiate the SSL session before the browser does and maybe that will fix the problem. Are you aware of this or anyone have tried it before ????

      Foundry supports SSL SESSION ID and COOKIE SWITCHING. Can I use the latter to maintain sessions accross my servers ???

      Thanks

      Luis

        ----- Original Message -----
        From: Philip Goldie
        To: lb-lIZZATvegan.net
        Sent: Tuesday, October 01, 2002 11:42 AM
        Subject: RE: [load balancing] FOUNDRY SERVERIRON XL FAILED IP STICK

        Luis,

        The only real model for dealing with persistence either in SSL environments or plain HTTP is cookies. This is
        not a Foundry limitation, just the nature of the protocols, applications and infrastuctures which make up the
        Internet :-(

        One alternative is to use SSL Session ID as a persistence mechanism, but this is often proved fruitless as
        most browsers renegotiate the SSL ID periodically. There is a fix for this, but only if you're in control of the
        desktop of the user base, which it sounds like you're not.

        Phil.

        -----Original Message-----
        From: Cisco [mailto:ciscoIZZATnetsyssupport.com]
        Sent: 01 October 2002 15:31
        To: lb-lIZZATvegan.net
        Subject: [load balancing] FOUNDRY SERVERIRON XL FAILED IP STICK

        I recently setup our Foundry ServerIron XL for SERVER LOAD BALANCING. This is the configuration we have

        server real test1 65.165.34.11
         port http
         port http keepalive
         port http url "HEAD /"
         port ssl
         port ssl keepalive
        !
        server real test2 65.165.34.12
         port http
         port http keepalive
         port http url "HEAD /"
         port ssl
         port ssl keepalive
        !
        server virtual test 65.165.34.10
         port http sticky
         port ssl sticky
         track-group http 443
         bind http test1 http test2 http
         bind ssl test1 ssl test2 ssl

        The load balancing works great but I'm having a lot of problems with HTTP and SSL sessions maintained to the same real server (STICKYNESS). It seems to work fine with most of the websites but I'm having problems with users coming from AOL. Now I heard of those problems before and I don't know if it is due to the AOL mega proxy or the AOL browser. Does anyone know what could it be happening. It seems that the IP stickyness doesn't works for these site. Does anyone knows if Foundry supports another type of sticky feature not based in IP address to maintain real server sessions ?
        ANY HELP WILL BE GREATLY APRECIATED.

        Luis Vazquez
        ciscoIZZATnetsyssupport.com

    ____________________
    The Load Balancing Mailing List
    Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
    Archive: http://vegan.net/lb/archive
    LBDigest: http://lbdigest.com
    MRTG with SLB: http://vegan.net/MRTG
    Hosted by: http://www.tokkisystems.com



    This archive was generated by hypermail 2.1.4 : Tue Oct 01 2002 - 17:37:02 EDT