Application Delivery (ADX)

Reply
Occasional Contributor
alessandro.barisone
Posts: 17
Registered: ‎05-23-2012

ssl-id session and sticky-age

Hi all,

I've implemented this configuration:

server virtual Sharepoint_ 192.168.1.11

sticky-age 60

sym-priority 12

sym-active

port ssl sticky

port ssl session-id-switching

port http

port http script "REDSPFE.PL"

port http keep-alive

bind ssl SharePoint3 ssl SharePoint4

bind http SharePoint3 http SharePoint4

server real SharePoint3 10.10.249.145

source-nat

port http

port http url "HEAD /"

port http group-id 1 1

port ssl

!

server real SharePoint4 10.10.249.146

source-nat

port http

port http url "HEAD /"

port http group-id 2 2

port ssl

The script makes a redirect http to https and manage a sorry server.

What I need to know is how can I troubleshoot in  ADX the ssl session-id-switching and sticky-age. Maybe there are tables to see

I' ve configured these two command in order to maintain the session on the same server based on ssl id and with a timeout of 60 seconds

 

Does the sticky option has any effect when SSL Session ID switching

is enabled ?

any comment is appreciated

Regards

Alessandro

Contributor
msahni
Posts: 28
Registered: ‎08-18-2011

Re: ssl-id session and sticky-age

Hi Alessandro,

Sticky and session-id-switching are mutually exclusive features and if you have both of them configured then sticky will take precedence over session-id-switching.

Unfortunately there are no show commands to provide information about session-id-switching database which adx maintains.

You can refer to "Setting up SSL session ID switching" section in chapter 5 of ADX slb user guide for more information about this feature.

Let me know if you have any other questions.

Regards,

Mohit

Occasional Contributor
alessandro.barisone
Posts: 17
Registered: ‎05-23-2012

Re: ssl-id session and sticky-age

Mohit,

thank you for your reply.

Please, could you tell me what is better: ssl-id or sticky ? Seems to me that ssl-id is specifically for ssl when sticky is more wide (it' s possible use it for other protocols).

Another question: the algorithm of both is the same or there are differences that can be taken into account  when I choose one of them ?

Regards


Alessandro

Contributor
msahni
Posts: 28
Registered: ‎08-18-2011

Re: ssl-id session and sticky-age

Hi Alessandro,

If you don't have any specific reason to use ssl-id, then use sticky, as sticky is more widely used by customers and you also have some better debugging options with sticky which you don't have with ssl-id.

SSL session id switching can be used if the load balanced application uses it for maintaining some kind of sessions on the servers. If using ssl id, same client can have two different ssl sessions going to two different real servers but in case of sticky same client will always go to same real server because sticky is based on client's ip address.

So if the majority of clients are behind some kind of NAT, then ssl session id may be a better option.

-Regards,

Mohit

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.