09-13-2013 04:26 AM
in an slb configuration, where a csw policy for insertion of client ip address into http-header of incoming traffic towards servers is configured for a virtual server, active-primary-overide-sticky does not seem to work. once primary servers are shut down, health checks for these fail as expected and traffic is forwarded to backup server. but once these servers are back and health checks change to active for them, sessions which were directed to backup server in the meantime remain stuck to it and are not terminated quickly. in case csw policy is not attached to virtual server config, sessions to backup server are terminated immediately and new sessions are directed to primary servers again, which is the required behaviour.
system type: ServerIron ADX 1016-2-PREM
system version: 12.4.00bT403
default forward 999
default rewrite request-insert client-ip "Customer_IP"
server remote-name server_a 10.10.0.1
server remote-name server_b 10.10.0.2
server remote-name server_c 10.10.0.3
server group-real WEB_SERVERS
real-server server_a server_b server_c
server virtual xyz.com 220.127.116.11
port default disable
port http sticky
port http lb-pri-servers
port http active-primary-overide-sticky
port http response-rewrite-policy "REWRITE"
port ssl sticky
port ssl ssl-terminate SSL-xyz-profile
port ssl lb-pri-servers
port ssl active-primary-overide-sticky
port ssl response-rewrite-policy "REWRITE"
port ssl csw-policy "INSERT_CUSTOMER_IP"
port ssl csw
port ssl keep-alive
bind http group-real WEB_SERVERS http
bind ssl group-real WEB_SERVERS 81
since for a csw policy an action must be configured unconditionally, default forward 999 is configured. idea is, that, since group-id 999 is not existing, no decision on to which server traffic is forwarded should be taken by csw policy, but be based on virtual server config only (i tried also configuring a group id for all involved real servers and setting forward to this id in csw-policy, which didn´t help), and therefore active-primary-overide-sticky should work.
is this a bug and/or are there alternate ways to configure insertion of client-ip into http header of traffic while keeping active-primary-overide-sticky feature functional?
09-18-2013 03:40 PM
I took a look and showed it to a colleague and it really looks like this is setup correctly. Unfortunately at this point, I would recommend calling TAC to troubleshoot this one further.