Load Balancing web servers "Sticky" rolling over inappropriately
-
In my colo I've got a pfSense box running 1.2.3-RELEASE (202 days of uptime, the last down time was when the entire colo lost power last summer due to heat). It's been working swimmingly :D
A few months ago, we developed a web app (asp.net) that makes use of session when a user is logged in. We setup the load balancer functionality with "sticky connections." It worked "ok" but we got frequent timeouts. Initially we thought it was bad code, but I recently determined that it was the "sticky connections" not being sticky.
We've worked around it in our code for this one application, but we have some legacy apps (that we can't change the code on) that we'd like to put into the load balancer because, frankly, it's awesome when it works right.
Thinking that perhaps 2.0.1 is better at this than 1.2.3, I build a 2.0.1 box up and installed it as the firewall at my office. I put two servers behind the firewall and load balanced them. It seems to work ok, and 2.0 is nice in that it shows the states in diag->states.
However it seems like the states are releasing quicker than our session timeout in the application, so we're getting "random" logouts.
Is there any tuning I can do (without recompiling – I prefer to run stable/release packages in production) to stop the behavior that we're seeing?
Thanks!
-
It might be related to the src.track setting?
-
Did you tried haproxy package?
I have no stick issues using haproxy for https balance/failover
-
Hmm. Hadn't looked at haproxy. It doesn't support ssl does it (although your message says https).
-
haproxy supports tcp,http and https load balance/fail over
-
I setup haproxy, replacing the build in load balancer, in my test environment and it appears to be working pretty well (for http traffic). I did get some unavailable errors (well one of my test subjects did), but I'm not sure what that's about.
Thanks for the help, I'll need to investigate what happens on the ssl side (since I'm guessing the ssl will be unwrapped before it hits the web server otherwise it couldn't set a cookie).
-
this topic may help you.
http://forum.pfsense.org/index.php/topic,47070.msg247667.html#msg247667
-
Well.. I got https load balancing working (second front end, added dupe web1 and web2's bound that that frontend).
However… session affinity is not working in IE. It appears to be working in Chrome, but IE is rotating between sessions.
I set the load method to be Source (since https can't add cookies since the traffic is encrypted [of course]).
-
Hmm… I think that the SSL certs might not be the same on both servers and that's causing the problem (hence two different sslids).They are using the same (self gen'ed) cert.
Something funky is going on.
-
changed my frontend passthrough to stick-table type ip size 30k expire 30m
removed the passthrough on the serversCleared the ssl cache in IE. It appears to be working ok…
But now that I think about my app... we'll have users starting on non-ssl and then moving to ssl (typical ecommerce), so I might just want to use a shared session state so that we don't care at all what server the users go to :)
I do have some legacy apps that I'd like to round robin the ssl... but I might just 1:1 nat em ;)