Cisco 11503 - CSS Content Services Switch Configuration Manual page 122

Chapter 4 Configuring SSL Termination
Configuring Virtual SSL Servers for an SSL Proxy List
If a connection is stuck using SSL sticky, be aware that the connection loses SSL
Note
sticky persistence each time that the CSS performs handshake renegotiation
because the SSL session ID regenerates within an existing TCP flow. Because of
this situation, the CSS is not aware of the new SSL session ID. When the next TCP
connection comes in for this SSL flow, the CSS considers it as a new SSL session
and load balances the connections to an SSL service. If there is more than one
service and multiple SSL modules, the CSS may send the connection to a different
SSL module. The connection will be a new SSL session to that SSL module,
which causes the connection to be renegotiated for a second time. After the second
renegotiation, the CSS is aware of the SSL session ID and the SSL session sticks
to the other SSL module.
In this case, turning on SSL rehandshaking can cause SSL sessions to require
additional resources to perform handshake renegotiation. If you are operating in
a high traffic environment, this may impact overall SSL performance.
Cisco Content Services Switch SSL Configuration Guide
4-40
OL-5655-01