Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
809
Views
0
Helpful
2
Replies

CSS SSL - no SYN to server before client initiates traffic

andy.steere
Level 1
Level 1

‎01-25-2013 09:20 PM

I have a web application behind a SSL-offloading CSS 11506 that may require the server to be able to use a SSL connection as soon as it is established.    At least I'm troubleshooting a problem that is starting to look like this is a possibility.

The default behavior seems to be to not start the SYN/SYN-ACK sequence with the real server until the client starts talking first (such as send an http get request), even though the SSL termination part is done and ready.  

Any way to change this behavior?  

The scenario is a webapp.  Client side starts more than one SSL session to the server, but only uses one immediately.   The client knows it has more than one connection and may have told the server so.    Like a control plus data channel(s) arrangement.   The client opens all the connections (full SSL handshake on all channels), starts using the control channel, and expects the server to start talking on the data channel.     However, since the client hasn't sent anything down that TCP connection first... the server doesn't have it.

I don't think this would occur when the server is doing the SSL... as it should have all the TCP connections as soon as the SSL handshakes are done. 

Thanks for any suggestions!

Andy

Labels:
0 Helpful
2 Replies 2

ajayku2
Cisco Employee
Cisco Employee

‎01-27-2013 02:54 AM

Your understanding is right.

This is also documented in the admin guide:

------------------------------------------------------------------------------

Overview of SSL Termination

SSL termination in a CSS occurs when an SSL module, acting as a proxy server, terminates an SSL connection from a client, and then establishes a TCP connection to a server. When the module terminates the SSL connection, it decrypts the data and sends the data as clear text to the CSS for a decision on load balancing

------------------------------------------------------------------------------

So ideally it wait for the data from the client to make a load balancing decision till that it does not know where to send the data. I dont see a possible way to change this behavior.

It is also true that the same behavior will not be exihibited when you do SSL offloading on server.

0 Helpful

andy.steere
Level 1
Level 1
In response to ajayku2

‎01-29-2013 06:08 AM

Thanks for the reply!   This looks very similar to an IE9 problem described here:

http://social.technet.microsoft.com/Forums/en-US/ieitprocurrentver/thread/e021841a-0ab7-4d48-8aae-42a4bf992526

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card