Sticky sessions cookie issue

PjarInk

Hello

I have an issue with sticky sessions, currently we're using a cookie set by the AX on http-request, the issue I have (it's a webshop) is that upon checkout, the store switches from http to https and thus we get a new cookie and there's a high probability that the shopping cart is lost due to server switch.

This is one possible solution: https://www.a10networks.com/vadc/index.php/forums/topic/aflex-for-individual-server-cookie-persist/

Though I don't see how it would work, what makes it so that the AX knows what server to keep track of with that http-response cookie? (We already use JSESSIONID for other stuff).

Another solution I thought of is to somehow create the https-cookie upon the first http-request.

Any ideas/thoughts?

thomas.hedstrommer@a10networks.com

Hi, try to set the cookie persistence template to match type server on both port 80 and port 443.
I believe that should do the trick.

Kind regards,
Thomas

PjarInk

There is no option to specify ports in the cookie template, do I have to use a single service group with both ports specified?

thomas.hedstrommer@a10networks.com

What version are you on?

I am on version 2.7.1, cookie persistence, match type and change that from port to server.

BR
Thomas

PjarInk

Software Version: 2.7.1-P2(build: 57)

Cookie persistance is on match service group, server and not on port.

PjarInk

Anyone else has any input?

I'm in quite a bind here.

thomas.hedstrommer@a10networks.com

Are they located at the same virtual server?(i guess they are)
Are both services set to use match type service?

Good luck,
Thomas

mischa

We probably need to modify the aFleX you are using. Can you post your current script?

PjarInk

Thomas: Yes, they are at the same virtual server. I'm not following you, we have 1 template for the cookie where match type server is set. Where do I find match type service?

Mischa: Not using aflex, it's a cookie persistance template at the moment, though I linked to that aflex as I think it's a possible solution, but I want to understand how it works, because to my eyes all that script does is to check if there is a cookie and then save the info, I don't see any connection between that info and which server to send the client to.

mischa

The way it works is as follows.
On the incoming client request a server is selected based on the load balancing method you have specified. One the server is selected a cookie is inserted, to the client only, which contains a hash of the destination server. Any subsequent request will be send to this server as long as the cookie is present.

The different match types will tell us for which requests we would use the same server.
When the match type is port we will only forward requests to the specific port to which the template is applied. Which can mean that request via port 80 and port 443 will end up at different serves.
By using match-type server you can prevent this.

The cookie template will need to look something like:
slb template persist cookie tp-cookie-persist match-type server

Without an expire the cookie will be removed as soon as the browser closes.

This template needs to be applied to both ports, 80 and 443.

Hope this helps.

PjarInk

We have it set up like that, at least in the gui, I will see if it differs in cli.

My guess is that we have either done something wrong in the server group/virtual server or there's a bug in the gui showing us wrong information (match type server set, but not effective).

mischa

That could be the case. 2.7.1-P3 is available for download via our portal.

PjarInk

We have an update scheduled tonight, I will update with results.

PjarInk

So we performed the update and we see no different results. I suspect misconfiguration.

Could you go through how it should be set up or point me to a resource with instructions? Because what I have available today is not entirely logical or correct it seems.

mischa

The steps are very simple.
1) Create an cookie persist template as mentioned.
2) Apply it to the virtual server ports.
3) Done...

But in order to do proper trouble shooting, would you be able to supply the running config or show tech?

PjarInk

I might not be able to supply the running config, I can check. But I can describe the setup:
2 service groups, app:80 and app:443, 1 virtual server pointing port 80 and 443 to respective service group. 2 virtual service, 80 and 443, both have the same cookie persist template.

Most of the settings are default.

PjarInk

Can I PM you somehow Mischa?

mischa

Ah... that explains it. You are not using the same service-group for both port 80 and 443.
Where are you terminating the SSL session? On the AX or the Server?
No idea if you can PM me through this forum, but you can drop me an email on mpeters [at] a10networks [dot] com

PjarInk

We are terminating it on the AX.

I thought we had something wrong there, I will test and configure both ports on one service group! Thanks.

PjarInk

When I set http and https in one service group and use that, I get a redirect loop which I have a hard time understanding why it pops up. Any ideas?

mischa

The service-group for virtual-port 443 is also going to port 443 on the server?
The application is probably doing the redirect when it's not receiving traffic in port 443.

PjarInk

I will look into that, thanks alot for your help so far!

PjarInk

We need to have SSL on port 8080 towards the servers, what I can't seem to understand is that when I have both http and https in one service group, how does the AX distinguis the traffic and send it on the correct port?

What we see right now is that when you open the site (http) the request comes in on 8080 to the servers. It's not encrypted between the AX and the servers since the AX is terminating the SSL.

mischa

In this case you can _not_ add both ports to the service group. If you can send me your running config offline I will build an aFleX that suits your needs as the standard cookie persistence will not work for you.

PjarInk

I will send it to you, thank you!