Cisco ACE and the HTTP Headers

In September, 2007, Keane reported problems with their application when a 2nd app server was added to their VIP. Problems ranged from users getting logged out or pages simply failing to load. Apps Eng investigated the issue and discovered the problem centered around the HTTP headers, specifically the cookies used for tracking users for persistence purposes.

Background

The Keane application sets 2 cookies for storing various pieces of information. The Cookie2 IETF specification allows for up to 4 kilobytes of data to be stored in cookies. Keane's application was storing just under 2 kilobytes of data in these two cookies, well within the defined limits. With the introduction of a 2nd app server in the VIP, the ACE load balancer injected a 3rd cookie into the HTTP stream. The cookie is used to maintain persistence (mapping a specific end user to a specific application server.)

The Problem

With all 3 cookies in the HTTP stream, the total cookie data volume exceeded 2 kilobytes. The ACE load balancer uses a 2 kilobyte buffer when processing the HTTP headers. If the HTTP headers exceed 2 kilobytes, the ACE load balancer would drop the packets and send a TCP reset packet to the client to abort the stream.

The Cure

Network Engineers increased the header_maxparse_length parameter to 3 kilobytes and changed the default behavior from "drop packets and send a TCP reset" to "continue processing the request" by changing the length-exceed parameter on the VIP in question.