topic Re: Broken SSL sessions on a CSS11503 in Application Networking

Broken SSL sessions on a CSS11503

franz.macsek — Wed, 05 Nov 2003 16:21:13 GMT

We are using a CSS11503 without SSL module and S/W-Version 7.20 Build 104.

We define the following content rule:

content citrix-csg.oekb.at_https

add service citrix-csg.oekb.at_https_1

add service citrix-csg.oekb.at_https_2

vip address 143.245.6.101

protocol tcp

port 443

balance srcip

application ssl

active

We see that SSL sessions from a client to the vip address 143.245.6.101 are interrupted after a while (some after 10 minutes, others later).

A network sniffer trace, where the sniffer is located at the CSS UPLINK near the firewall , tells us:

- while the SSL session is up, there is a regular SSL network flow from the CSS VIP address to the client.

- in cases where the session is interrupted, we only see some packets directly sent by the server behind the CSS VIP address to the client!!??

It seems that the CSS box stops after a while (e.g. 10 minutes) to switch the packets due to the content rule. Instead of this the packets are routed as if there would not be any content rule.

Do you have any idea, what we can do?

Thank you for your help

Franz

Re: Broken SSL sessions on a CSS11503

rob — Thu, 06 Nov 2003 13:09:32 GMT

Hi, I could be mistaken but shoudnt you configure sticky ip so the tcp sessions remain on the box especially for ssl connections

Try the following and see what happens

Content

content citrix-csg.oekb.at_https

add service citrix-csg.oekb.at_https_1

add service citrix-csg.oekb.at_https_2

vip address 143.245.6.101

sticky-mask 255.255.0.0

advanced-balance sticky-scrip

protocol tcp

port 443

application ssl

active

Re: Broken SSL sessions on a CSS11503

franz.macsek — Thu, 06 Nov 2003 17:41:57 GMT

Hi,

I defined the content rule in the following way - analog to an configuration example by cisco -

content citrix-csg.oekb.at_https

add service citrix-csg.oekb.at_https_1

add service citrix-csg.oekb.at_https_2

vip address 143.245.6.101

application ssl

advanced-balance ssl

protocol tcp

port 443

url "/*"

balance aca

active

In addition I suspended the service

citrix-csg.oekb.at_https_2!

The result of this test scenario was the same as before: after a while the SSL session dies ...

Thank you for your first aid,

Franz

Re: Broken SSL sessions on a CSS11503

Gilles Dufour — Fri, 07 Nov 2003 09:29:23 GMT

most probably the connection stayed idle for at least 16 seconds and it was then garbage collected and RST by the CSS.

Try the command 'flow-timeout-multiplier 10' under the content rule configuration and see if this improve the situation.

If it improves but does not solve completely, increase the value from 10 to 50.

Gilles.

Re: Broken SSL sessions on a CSS11503

franz.macsek — Mon, 10 Nov 2003 13:16:57 GMT

Hi Gilles,

thank you for your hint. Using the command

'flow-timeout-multiplier 5'

under the content rule configuration seems to solve our problem with broken SSL sessions.

Thank you

Franz

Re: Broken SSL sessions on a CSS11503

Gilles Dufour — Mon, 10 Nov 2003 14:14:43 GMT

may I ask you to mark the thread as solved so other people only looking at solution can read this discussion.

Glad to see the problem is solved.

Thanks,

Gilles.

Re: Broken SSL sessions on a CSS11503

tporembski — Fri, 23 Apr 2004 20:08:53 GMT

I have the same issue on a 11050 running 6.10 build 4 and the flow-timeoute command doesn't exist. is there anything I can use?

Thanks

Tony

Re: Broken SSL sessions on a CSS11503

Gilles Dufour — Mon, 26 Apr 2004 12:08:05 GMT

try the global config command 'flow port1 443 timeout '.

Regards,

Gilles.