Application Delivery (ADX)

Cookie switching together with SSL offload

by on ‎05-08-2009 01:00 AM - edited on ‎10-30-2013 05:45 PM by bcm1 (1,548 Views)



We want to enable persistance to the same server using cookies while doing SSL offload and acceleration concepts and examples at the same time.


To achieve persistence, we will insert cookies in all connections coming from new clients. We will layer-4 load-balance the connections, and at the same time insert a cookie.


The cookie value will contain the server-id to which the connection was load-balanced. Next time when the same client connects, it will present the cookie. Using the cookie value, we will know which real-server to choose and send the connection to it.


ATTENTION: This requires SSL offload - ensure you are using at least ADX OS >= 12.1.




We will use Layer-7 switching using csw to achieve this. There are three important points to note:


  • Connections from new clients will not have the cookie. Thus, the ServerIron will not know how to switch those. To handle such clients, the ServerIron will send them to a pre-defined group. We need group-id to be assigned to each real-server.
  • However, once a server is selected, its ServerID will be used as the cookie value. We need server-id,to be used in the cookie value, assigned to each real-server.
  • For new connections, ServerIron will set a cookie. But we need to define this cookie name so that a set-cookie: CookieName=value can be sent by the ServerIron to the client. We need to define cookie-name under vip.


Topology Diagram


not needed


Sample Code/Configuration


ssl profile verisign128
    keypair-file verisign128key
    certificate-file verisign128cert
    cipher-suite all-cipher-suites
    session-cache off

csw-rule "r1" header "cookie" search "ServerID="
csw-policy "p1"
    match "r1" persist offset 0 length 4 group-or-server-id
    default forward 1
    default rewrite insert-cookie
server real rs18
    port http
    port http url "HEAD /"
    port http server-id 1218
    port http group-id 1 1
server real rs11
    port http
    port http url "HEAD /"
    port http server-id 1211
    port http group-id 1 1
server virtual vip1
  port ssl ssl-terminate verisign128
  port ssl csw-policy "p1"
  port ssl csw
  bind ssl rs18 http rs11 http



ATTENTION: This requires SSL offload - ensure you are using at least  ADX OS >= 12.1.


Tips and Caveats


Optionally, You can also use the follow commands under virtual server to change the age, domain or path of the cookie being inserted.


  • port http cookie-age
  • port http cookie-domain
  • port http cookie-path


Further Reading


You can also insert different cookies depending on the csw-rule being hit.  A sample config is : L7CSWMultipleCookies

Furher info on SSL offload/acceleration: SSL offload and acceleration concepts and examples