Solved: Broken SSL sessions on a CSS11503

franz.macsek · ‎11-05-2003

We are using a CSS11503 without SSL module and S/W-Version 7.20 Build 104.

We define the following content rule:

content citrix-csg.oekb.at_https

add service citrix-csg.oekb.at_https_1

add service citrix-csg.oekb.at_https_2

vip address 143.245.6.101

protocol tcp

port 443

balance srcip

application ssl

active

We see that SSL sessions from a client to the vip address 143.245.6.101 are interrupted after a while (some after 10 minutes, others later).

A network sniffer trace, where the sniffer is located at the CSS UPLINK near the firewall , tells us:

- while the SSL session is up, there is a regular SSL network flow from the CSS VIP address to the client.

- in cases where the session is interrupted, we only see some packets directly sent by the server behind the CSS VIP address to the client!!??

It seems that the CSS box stops after a while (e.g. 10 minutes) to switch the packets due to the content rule. Instead of this the packets are routed as if there would not be any content rule.

Do you have any idea, what we can do?

Thank you for your help

Franz

Gilles Dufour · ‎11-10-2003

may I ask you to mark the thread as solved so other people only looking at solution can read this discussion.

Glad to see the problem is solved.

Thanks,

Gilles.

View solution in original post

rob · ‎11-06-2003

Hi, I could be mistaken but shoudnt you configure sticky ip so the tcp sessions remain on the box especially for ssl connections

Try the following and see what happens

Content

content citrix-csg.oekb.at_https

add service citrix-csg.oekb.at_https_1

add service citrix-csg.oekb.at_https_2

vip address 143.245.6.101

sticky-mask 255.255.0.0

advanced-balance sticky-scrip

protocol tcp

port 443

application ssl

active

franz.macsek · ‎11-06-2003

Hi,

I defined the content rule in the following way - analog to an configuration example by cisco -

content citrix-csg.oekb.at_https

add service citrix-csg.oekb.at_https_1

add service citrix-csg.oekb.at_https_2

vip address 143.245.6.101

application ssl

advanced-balance ssl

protocol tcp

port 443

url "/*"

balance aca

active

In addition I suspended the service

citrix-csg.oekb.at_https_2!

The result of this test scenario was the same as before: after a while the SSL session dies ...

Thank you for your first aid,

Franz

Gilles Dufour · ‎11-07-2003

most probably the connection stayed idle for at least 16 seconds and it was then garbage collected and RST by the CSS.

Try the command 'flow-timeout-multiplier 10' under the content rule configuration and see if this improve the situation.

If it improves but does not solve completely, increase the value from 10 to 50.

Gilles.

franz.macsek · ‎11-10-2003

Hi Gilles,

thank you for your hint. Using the command

'flow-timeout-multiplier 5'

under the content rule configuration seems to solve our problem with broken SSL sessions.

Thank you

Franz

Gilles Dufour · ‎11-10-2003

may I ask you to mark the thread as solved so other people only looking at solution can read this discussion.

Glad to see the problem is solved.

Thanks,

Gilles.

tporembski · ‎04-23-2004

I have the same issue on a 11050 running 6.10 build 4 and the flow-timeoute command doesn't exist. is there anything I can use?

Thanks

Tony

Gilles Dufour · ‎04-26-2004

try the global config command 'flow port1 443 timeout '.

Regards,

Gilles.