06-21-2012 05:46 AM
Running a config as follows which is intended to offload SSL, then use 'cookie-switching' to persistently keep a client served from the same real server.
Config as follows:
! MATCH SOMETHING (in this case check if we have a serverID cookie set)
csw-rule "MatchServerID" header "cookie" search "ServerID="
! ACT ON THE MATCH (if no cookie, set one, if cookie set, ‘persist’ the connection to the server ID referenced in the cookie)
match "MatchServerID" persist offset 0 length 4 group-or-server-id
default forward 2
default rewrite insert-cookie "ServerID"
! REALSERVER CONFIG
server real R1 10.126.1.1
port 8080 server-id 1230
port 8080 group-id 2 2
! VIRTUALSERVER CONFIG
server virtual V1 10.1.2.162
no port ssl sticky
port ssl ssl-terminate V1.profile
port ssl csw-policy "CookieSwitch"
port ssl csw
bind default R1 default
bind ssl R1 8080
This config results in the request not getting fulfilled at all.
If I remove SSL termination ('no port ssl ssl-terminate V1.profile'), keeping everything else the same, I can actually hit:
and get my ServerID cookie written in the response from Tomcat.
If I remove the CSW from port ssl instead ('no port ssl csw'), I likewise can hit:
https://myURL/ and get my pages served properly.
Platform info is as follows:
SW: Version 11.0.00aTI4 Copyright (c) 1996-2007 Foundry Networks, Inc.
Compiled on Feb 12 2009 at 20:27:25 labeled as WJR11000a
HW: Stackable Router, SYSIF version 21, Serial #: Non-exist
ServerIron 4G SSL, SYSIF 2 (Mini GBIC)
Serial #: <REMOVED>
0 MB SHM, 1 Application Processors
4096 KB BRAM, JetCore ASIC IGC version 49
32768 KB PRAM and 2M-Bit*1 CAM for IGC 0, version 0449
1.0 GHz Power PC processor 750GX (version 7002/0112) 66 MHz bus
512 KB boot flash memory
16384 KB code flash memory
512 KB SRAM
512 MB DRAM
The system uptime is 64 days 21 hours 2 minutes 34 seconds
The system started at 15:42:41 GMT+00 Tue Apr 17 2012
The system : started=cold start
Is this a known issue with this platform/software release?
06-25-2012 04:25 AM
You are using 11.0a as the running software image.
11.0 is only recommended if you are using IPv6. The latest release is 11.0h. You should change to the latest release as there are a couple of caveats regarding CSW and SSL.
If you do not need IPv6 please change to 10.2.02.
01-31-2013 01:26 AM
SSL does not work with activated csw, with installed firmware version 10.2.02.
We have tested with ssl termination and without, the only thing that works
is to disable csw for port ssl - but then i have no client ip insertion and/or cookie.
Are there any new information regarding this issue?