cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

817
Views
0
Helpful
0
Replies
Highlighted
Beginner

CSS 11503 loadbalancing squid proxies: SSL connections sometimes hang

I am loadbalancing two squid proxies behind a pair of CSS 11503 in box-to-box redundancy mode.

Somewhat regularely SSL connections (https) started by Internet Explorer hang.

These connections are mostly file transfers, and should complete in 1-3 minutes.

The problem happens with both vip addresses.

There is no problem with http requests.

There is no problem if one of the IP adresses of the squid proxies is entered in the configuration of the Internet Explorer instead of one of the vips.

I can't find any messages on the logging host, which relate to the problem.

The ssl connections do not terminate on the CSS or the squid, but are proxied to the target server.

The network looks like this (simplified):

personal computers running IE

  |

router (Cisco)

  |

switch  ---  CSS

  |

proxies

  |

Firewall

  |

Internet

The configuration details (full configuration is appended as file)

  flow permanent port1 135

  flow permanent port2 6001

  flow permanent port4 60001

  flow permanent port5 60000

  flow permanent port3 24804

  flow permanent port6 3268

  flow permanent port7 3269

!*** the above block is due to some other loadbalancing rules on the CSS

  ip route 0.0.0.0 0.0.0.0 192.0.2.65 1

circuit VLAN1

  redundancy

  ip address 192.0.2.1 255.255.255.248

    no redirects

  ip address 192.0.2.68 255.255.255.192

    no redirects

service proxy1-script

  ip address 192.0.2.84

  keepalive frequency 3

  keepalive retryperiod 3

  keepalive type script ap-kal-squid "192.0.2.84 8080 2000"

  active

service proxy2-script

  ip address 192.0.2.85

  keepalive frequency 3

  keepalive retryperiod 3

  keepalive type script ap-kal-squid "192.0.2.85 8080 2000"

  active

owner customer-h

  content proxy1-main

    flow-reset-reject

    flow-srvdown-reset

    flow-timeout-multiplier 225

    add service proxy1-script

    vip address 192.0.2.78

    protocol tcp

    primarySorryServer proxy2-script

    active

  content proxy2-content

    flow-reset-reject

    flow-srvdown-reset

    vip address 192.0.2.79

    protocol tcp

    add service proxy2-script

    primarySorryServer proxy1-script

    active

group heycom-proxy2-content

  vip address 192.0.2.79

  active

The loadbalancer IP 192.0.2.68 is the gateway on the squid proxies for the IPs of the personal computers running IE.

What I have already tried is:

- replace the hardware of the CSS

- update the firmware version from 08.20.4.02 to 08.20.5.01 .

Everyone's tags (5)
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here