05-13-2010 09:24 AM
Hi,
I have several users located in India trying to connect to a VIP in Canada over an https link and experience issues connecting (local users can connect fine to this URL from Vista PC's). The same URL is accessible from India on Win2k PC's.The Vista PC and server successfully established a TCP connection and also start to exchange SSL client/server hellos. It's after this exchange of SSL hellos that I see IP fragmentation and other lost packets messages.Doing a tracert from the PC to the CSS VIP and vice-versa shows 18 hops, so wonder if I'm experiencing some sort of time-out issue, but why only for Vista?
I've attached (.bmp) the relavant lines from a wireshark capture from a Vista PC.
PC: 172.16.225.47
VIP: 192.168.16.77
Pings to the users gateway from Canada to India:
H:\>ping 172.16.224.1 -t
Ping statistics for 172.16.224.1:
Packets: Sent = 270, Received = 270, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 344ms, Maximum = 365ms, Average = 345ms
Any ideas on why the communication fails after the SSL hellos on the Vista PC's?
Thank you in advance!
Manjit
Solved! Go to Solution.
05-18-2010 09:10 AM
My personal choice would be 8.20.4.02.
There is no compatibility concern except if you want the 2 devices to be configured in box-to-box redundancy.
In this case, I would recommend to have the same version on both CSS.
CSS11503(config)# flow tcp-window-scale ? Integer value(Range: 0-14) CSS11503(config)# no flow tcp-window-scale tcp-window-scale Reset TCP window scale shift count to default (not sent) This configuration parameter related to the spoofed TCP SYN/ACK sent back to the client. If this new configuration parameter is set the CSS will insert the TCP WS option in the TCP SYN/ACK back to the client.
So, you need to set the same WS as what is configured on the server.
Gilles.
05-17-2010 05:38 AM
Manjit,
most probably a Window Scaling option that is now being used by default by Microsoft Vista.
CSS is not using it by default.
CSCsk92868 HTTP requests fail from Windows Vista client
CSCsv12580: Allow the propagation of TCP Window Scale to be configurable
A nice upgrade to the most recent version should take care of this.
Gilles.
05-17-2010 12:51 PM
Hi Gilles,
I have a couple more questions:
Q1. I have 8.10.1.06 running, would you recommend going to 8.20.4.02 or 8.20.3.03?
Q2. I have 8.20.3.03 running on a few other CSSes, would this cause any compatibility issues between the verisions if I go with 8.20.4.02?
Q3. What is the integer value in the "flow tcp-window-scale" command do and how do I know what to set it to?
CSS11501(config)# flow tcp-window-scale ?
Thanks again for your excellent advice!
Manjit
05-18-2010 09:10 AM
My personal choice would be 8.20.4.02.
There is no compatibility concern except if you want the 2 devices to be configured in box-to-box redundancy.
In this case, I would recommend to have the same version on both CSS.
CSS11503(config)# flow tcp-window-scale ? Integer value(Range: 0-14) CSS11503(config)# no flow tcp-window-scale tcp-window-scale Reset TCP window scale shift count to default (not sent) This configuration parameter related to the spoofed TCP SYN/ACK sent back to the client. If this new configuration parameter is set the CSS will insert the TCP WS option in the TCP SYN/ACK back to the client.
So, you need to set the same WS as what is configured on the server.
Gilles.
06-24-2010 07:07 AM
Hi,
I have a few more questions, if you don't mind.
Q1. Is changing the tcp-window-scale value a Global change, does it effect all content rules on the CSS?
Q2. I'm still trying to understand the value and it relates to the window size in bytes.
for example window size of
1 = 1024bytes ?
2 = 2048bytes ?
...
14 = ??? bytes
How exactly is this calculated ??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide