For more details, please see ourCookie Policy.

Application Delivery (ADX)

Cookie switching together with SSL offload

by on ‎05-08-2009 07:34 AM (383 Views)


We want to enable persistance to the same server using cookies while doing at the same time.

To achieve persistence, we will insert cookies in all connections coming from new clients. We will layer-4 load-balance the connections, and at the same time insert a cookie.

The cookie value will contain the server-id to which the connection was load-balanced. Next time when the same client connects, it will present the cookie. Using the cookie value, we will know which real-server to choose and send the connection to it.

ATTENTION: This requires SSL offload - ensure you are using at least ADX OS >= 12.1.


We will use Layer-7 switching using csw to achieve this. There are three important points to note:

  • Connections from new clients will not have the cookie. Thus, the ServerIron will not know how to switch those. To handle such clients, the ServerIron will send them to a pre-defined group. We need group-id to be assigned to each real-server.
  • However, once a server is selected, its ServerID will be used as the cookie value. We need server-id,to be used in the cookie value, assigned to each real-server.
  • For new connections, ServerIron will set a cookie. But we need to define this cookie name so that a set-cookie: CookieName=value can be sent by the ServerIron to the client. We need to define cookie-name under vip.

Topology Diagram

not needed

Sample Code/Configuration

ssl profile verisign128
    keypair-file verisign128key
    certificate-file verisign128cert
    cipher-suite all-cipher-suites
    session-cache off

csw-rule "r1" header "cookie" search "ServerID="
csw-policy "p1"
    match "r1" persist offset 0 length 4 group-or-server-id
    default forward 1
    default rewrite insert-cookie
server real rs18
    port http
    port http url "HEAD /"
    port http server-id 1218
    port http group-id 1 1
server real rs11
    port http
    port http url "HEAD /"
    port http server-id 1211
    port http group-id 1 1
server virtual vip1
  port ssl ssl-terminate verisign128
  port ssl csw-policy "p1"
  port ssl csw
  bind ssl rs18 http rs11 http

ATTENTION: This requires SSL offload - ensure you are using at least  ADX OS >= 12.1.

Tips and Caveats

Optionally, You can also use the follow commands under virtual server to change the age, domain or path of the cookie being inserted.

  • port http cookie-age
  • port http cookie-domain
  • port http cookie-path

Further Reading

You can also insert different cookies depending on the csw-rule being hit.  A sample config is : L7CSWMultipleCookies

Furher info on SSL offload/acceleration:

by christoph.kaminski
on ‎09-25-2011 02:30 AM

what about a sticky fallback if the browser doesnt support cookies (or has cookies disabled)? how can I do it?

It is enough to use "port ssl sticky"?