[f-nsp] Sticky sessions not so sticky??

Andrew Cruse andrew at profitability.net
Tue Aug 17 14:02:45 EDT 2010 

[Apologies if this is a duplicate, it doesn't appear the first went
through.]

Having a devil of a time getting HTTP sessions to stay sticky on an old
ServerIron XL.  This should be an easy one, but I just can't seem to get
things to behave.

Here's the relevant bits of the config:

server sticky-age 60
server clock-scale 2
server tcp-age 60
!
server port 80
tcp 60 2
!
server real web1 10.0.0.1
port default disable
port http
port http keepalive
port http url "HEAD /"
port http status-code  200 201 300 302
port ssl
port ssl keepalive
!
server real web2 10.0.0.2
port default disable
port ssl
port ssl keepalive
port http
port http keepalive
port http url "HEAD /"
port http status-code  200 201 300 302
!
!
server virtual "Virtual Server" 10.0.0.3
port http sticky                                                
port ssl sticky
bind http web1 http web2 http
bind ssl web1 ssl web2 ssl
bind default web2 default web1 default
!
!                                                                
end

About as vanilla as they come.  Really the only things of note:

1.  The clock-scale is set to 2 to get 120 minute session aging
2.  The "default" site on the webservers in question immediately does a
redirect, hence the inclusion of 302 as an accepted status code.

Excerpted "sh server" output:

Server Load Balancing - global parameters
Predictor =          least-conn
Force-deletion =     0
Reassign-threshold = 20
Reassign-limit =     3
Ping-interval =      2                                          
Ping-retries  =      4
HTTP-keepalive-interval = 5
HTTP-keepalive-retries  = 2
Session ID age =    30
TCP-age  =           60
UDP-age  =           5
Sticky-age  =        60
TCP-syn-limit =      65535
TCP-total conn =     355157
Unsuccessful conn =  0
ICMP-message = Disabled
RESET-message = Disabled
Virtual Server Name: Virtual Server,   IP: 10.0.0.3
        http -------> web1: 10.0.0.1,  http (Active)
                      web2: 10.0.0.2,  http (Active)
         ssl -------> web1: 10.0.0.1,  ssl (Failed)
                      web2: 10.0.0.2,  ssl (Failed)
     default -------> web2: 10.0.0.2,  default (User Disabled)
                      web1: 10.0.0.1,  default (User Disabled)

Client->Server       =          0  Server->Client       =          0
Drops                =          0  Aged                 =      94671
Fw_drops             =          0  Rev_drops            =          0
FIN_or_RST           =          0  old-conn             =          0
Disable_drop         =          0  Exceed_drop          =          0
Stale_drop           =          0  Unsuccessful         =          0
TCP SYN-DEF RST      =          0  Server Resets        =          0
Out of Memory        =          0  Out of Memory        =          0

Avail. Sessions      =     523903  Total Sessions       =     524288
Total C->S Conn      =     355157  Total S->C Conn      =          0
Total Reassign       =          0  Unsuccessful Conn    =          0
Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active

Real Server     State   CurrConn    TotConn TotRevConn   CurrSess   PeakConn

web1                6          1     195447          0        285          0
web2                6          2     159710          0         92          0

A look at an active session:

Index Src-IP         Dst-IP         S-port D-port Age Serv    Flags 
===== ======         ======         ====== ====== === ==== ==========
0     10.10.10.1    10.0.0.30      0       0   web2 SLB1    
1     10.10.10.1    10.0.0.30      80      2   web2 SLB1    
2     10.10.10.1    10.0.0.341593  80      59  web2 SLB1>+  A
3     10.10.10.1    10.0.0.341594  80      59  web2 SLB1>+  A
4     10.10.10.1    10.0.0.341595  80      59  web2 SLB1>+  A
5     10.10.10.1    10.0.0.341596  80      59  web2 SLB1>+  A
6     10.10.10.1    10.0.0.341597  80      59  web2 SLB1>+  A
7     10.10.10.1    10.0.0.341598  80      59  web2 SLB1>+  A
8     10.10.10.1    10.0.0.341602  80      59  web2 SLB1>+  A
9     10.10.10.1    10.0.0.341603  80      59  web2 SLB1>+  A
10    10.10.10.1    10.0.0.341604  80      59  web2 SLB1>+  A
11    10.10.10.1    10.0.0.341605  80      59  web2 SLB1>+  A
12    10.10.10.1    10.0.0.341606  80      59  web2 SLB1>+  A
13    10.10.10.1    10.0.0.341607  80      59  web2 SLB1>+  A
14    10.10.10.1    10.0.0.341608  80      59  web2 SLB1>+  A
15    10.10.10.1    10.0.0.341609  80      59  web2 SLB1>+  A
16    10.10.10.1    10.0.0.341610  80      59  web2 SLB1>+  A
17    10.10.10.1    10.0.0.341611  80      59  web2 SLB1>+  A
18    10.10.10.1    10.0.0.341613  80      59  web2 SLB1>+  A
19    10.10.10.1    10.0.0.341614  80      59  web2 SLB1>+  A
20    10.10.10.1    10.0.0.341615  80      59  web2 SLB1>+  A
21    10.10.10.1    10.0.0.341616  80      59  web2 SLB1>+  A
22    10.10.10.1    10.0.0.341617  80      59  web2 SLB1>+  A
23    10.10.10.1    10.0.0.341618  80      59  web2 SLB1>+  A

According to what the ServerIron is telling me, that session is nailed to
web2.  Repeatedly issuing "sh sessions all src-ip 10.10.10.1" confims that
the session never budges from web2.  The user-experience, however, is quite
different.  The web developers on the servers in question have inserted a
tiny "1" or "2" in the corner of the web pages being served up to indicate
which server is generating the content.  Browsing through the website or
just sitting on a single hitting refresh results in that number changing
back and forth at random -- exactly what you'd expect to see if sticky
sessions were NOT enabled.

Is there something I've missed???

Thanks,

Andrew

More information about the foundry-nsp mailing list