[f-nsp] [ServerIronXL] SSL sessionID and sticky port
Youssef GHORBAL
youssef.ghorbal at netplus.fr
Tue Jan 16 13:50:33 EST 2007
Hello,
I have a ServerIronXL load balancing 2 webservers with https content.
I configured the SI to use the SSL Session ID load balancing and it
seems to work well... but not all time.
In fact, for some mystirious reasons the client receives, sometimes,
a TCP reset paquet ending brutally the TCP session and the underlaying
SSL session . The client restarts a new SSL session to continue
retreiving the content, the SI treats this new session and forwards the
request to one of the real servers. When this new request is forwarded
to the previous real server (the one the client was talking to before
the reset) there is no probleme. But when the new request is forwarded
to the other webserver, the client is disconnected from the website
because this server has no state information about this client....
What I can't understand is what is priority in paquet treatment in
this case :
- the 443 port is sticky (with a sticky age of 30 minutes) so this
should assure that all https requests coming from a givin client are
forwarded to the same real server
- the SSL Session ID is enabled, so all client requests containing
the same Session ID have to be forwarded to the same server.
- Round Robin is the default predictor.
Is it :
- Check SSL Session table, if not found check Sticky table, if not
found then Round Robin ?
- Check SSL Session table; if not found then Round Robin ?
Does the stiky option has any effect when SSL Session ID switching
is enabled ?
Regards,
Youssef Ghorbal
More information about the foundry-nsp
mailing list