Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1010
Views
9
Helpful
9
Replies

Migration from SCA1 to CSS onboard SSL

tim.pearce
Level 1
Level 1

‎05-08-2004 08:21 PM

I've migrated SSL from 2 SCA's load balnced with a CSS11503 to just the CSS with the onboard encryption engine and have noticed increased latency when the initial ssl connection is set up. The configuartion hasnt changed apart from the SSL config. Once the session is up it seems ok.

Any ideas?

Labels:
0 Helpful
9 Replies 9

tim.pearce
Level 1
Level 1

‎05-10-2004 07:14 AM

Looks like I spoke too soon, some clients have been reporting pages not found after negotiating an SSL session. The main problem though is the server seeing timeout errors from clients probably due to the latency with using the on board SSL. I've had to revert back to using the SCA's which run fine.

**SSL PROXY LIST

ssl-proxy-list ssl-proxy-list

ssl-server 40

ssl-server 40 vip address 10.117.247.40

ssl-server 40 cipher rsa-with-rc4-128-md5 10.117.247.40 1040 weight 10

ssl-server 40 cipher rsa-with-3des-ede-cbc-sha 10.117.247.40 1040 weight 8

ssl-server 40 cipher rsa-with-rc4-128-sha 10.117.247.40 1040 weight 8

ssl-server 40 cipher rsa-export-with-rc4-40-md5 10.117.247.40 1040

ssl-server 40 rsacert secure-ass

ssl-server 40 rsakey secure1024-ass

active

***SERVICE

service ssl_negotiate

type ssl-accel

slot 2

add ssl-proxy-list ssl-proxy-list

keepalive type none

active

service web_1_commercial

protocol tcp

port 80

ip address 10.117.246.93

keepalive type tcp

keepalive port 80

active

service web_1_http(s)

protocol tcp

port 81

ip address 10.117.246.93

keepalive type tcp

keepalive port 81

active

service web_1_redirect

type redirect

protocol tcp

port 80

ip address 10.117.246.93

keepalive type tcp

keepalive port 80

active

service web_1_tpw_sc

protocol tcp

port 80

ip address 10.117.246.93

keepalive type tcp

keepalive port 80

string ujcs228b

active

service web_2_commercial

protocol tcp

port 80

ip address 10.117.246.94

keepalive type tcp

keepalive port 80

active

service web_2_http(s)

protocol tcp

port 81

ip address 10.117.246.94

keepalive type tcp

keepalive port 81

active

service web_2_redirect

type redirect

protocol tcp

port 80

ip address 10.117.246.94

keepalive type tcp

active

service web_1_tpw_sc

protocol tcp

port 80

ip address 10.117.246.93

keepalive type tcp

keepalive port 80

string u6ci2g8b

active

service web_2_commercial

protocol tcp

port 80

ip address 10.117.246.94

keepalive type tcp

keepalive port 80

active

service web_2_http(s)

protocol tcp

port 81

ip address 10.117.246.94

keepalive type tcp

keepalive port 81

active

service web_2_redirect

type redirect

protocol tcp

port 80

ip address 10.117.246.94

keepalive type tcp

active

service web_2_tpw_sc

protocol tcp

port 80

ip address 10.117.246.94

keepalive type tcp

keepalive port 80

string ufm3r34m

active

************ OWNER

owner www

content commercial

vip address 10.117.247.40

balance leastconn

protocol tcp

port 80

url "//www.website.com/*"

add service web_1_commercial

add service web_2_commercial

active

content http_to_https

vip address 10.117.247.40

add service web_1_http(s)

add service web_2_http(s)

balance leastconn

protocol tcp

port 80

url "//secure.website.com/*"

active

content https_to_http

vip address 10.117.247.40

balance leastconn

protocol tcp

port 1040

url "//www.website.com/*"

add service web_1_http(s)

add service web_2_http(s)

active

content ip_match

vip address 10.117.247.40

balance leastconn

protocol tcp

port 80

url "/*"

add service web_1_http(s)

add service web_2_http(s)

active

content tpw_ssl_local

add service ssl_negotiate

vip address 10.117.247.40

protocol tcp

port 443

application ssl

active

content transactional

vip address 10.117.247.40

url "//secure.website.com/*"

balance leastconn

advanced-balance cookies

add service web_1_tpw_sc

add service web_2_tpw_sc

protocol tcp

port 1040

string prefix "JSESSIONID"

string skip-length 29

string process-length 8

string range 1 to 200

active

0 Helpful

mvoight
Level 1
Level 1
In response to tim.pearce

‎05-17-2004 01:49 PM

With just the configuration, there really isn't a good way to determine the cause of the delay or page not found. For that you should probably get sniffer traces and possibly ssldump. Are you using urlrewrite on the SCA? There might be other issues due to idle flows, etc.

0 Helpful

Sbutzek
Level 1
Level 1
In response to mvoight

‎05-19-2004 03:42 AM

Hi,

may you try to disable the TCP Nagle, choos the SSL unclean-shutdown, enable the Keepalive Mode für HTTP Sessions on your Server and try to vary with the ssl-qeue Delay.

If your Clients are microsoft, disable the TCP Nagle on both sides.

Enable the unclean Shutdown

Alter the SSL-Queue Delay to 0.

Best Regards

tim.pearce
Level 1
Level 1
In response to Sbutzek

‎07-05-2004 12:51 PM

Cisco came back with the altering the queue delay to 0 which seemed to do the trick SSL was much quicker. Testing went ok but in production we still saw some clients on dialup getting page not founds or the server thinking that the client had ended the session. This behaviour is not seen when introducing the SCA's.

I will try disabling Nagle and enabling unclean shutdown. Many thanks for the post sorry I havent been able to get back to the board earlier.

0 Helpful

Sbutzek
Level 1
Level 1
In response to tim.pearce

‎07-05-2004 11:22 PM

Hello Tim,

there is also a bug fixed in 7.20 405 where the backendconnection gets passed in cleartext to the client.

This occurs only, when the TCP Port of your Contentrule does not match the Service Port you configured.

Best Regards

Sven Butzek

tim.pearce
Level 1
Level 1
In response to mvoight

‎05-19-2004 11:26 AM

Thanks for the reply, I've got a tac case open so I'll let you know how I get on. I'm not doing url rewrite on the SCA in fact the only difference is the ssl being terminated on the onboard engine instead of the SCA. Traces have shown time waits over 2 seconds with the onboard, but time waits have also been seen with the SCA but only up to 2 secs.

0 Helpful

anthony.ezewele
Level 1
Level 1

‎05-19-2004 04:47 AM

Hello,

Can you help me please?. I am having problem with my content engine after an upgrade. The pages seems to be very slow openning up and the performance is unbearable very slow. please would you know why this is occurring?

Thanks in advance.

Tony

0 Helpful

mvoight
Level 1
Level 1
In response to anthony.ezewele

‎05-19-2004 09:09 AM

Tony,

There really isn't enough information to go on.

You may need to look at sniffer traces to determine the problem. Generally that is what we do to determine the cause of delays. The main cause is generally due to slowness or non response from the server in the CE to server connection.

You should open a TAC case for this.

Michael Voight

CSE

0 Helpful

mvoight
Level 1
Level 1
In response to anthony.ezewele

‎05-19-2004 09:09 AM

Tony,

There really isn't enough information to go on.

You may need to look at sniffer traces to determine the problem. Generally that is what we do to determine the cause of delays. The main cause is generally due to slowness or non response from the server in the CE to server connection.

You should open a TAC case for this.

Michael Voight

CSE

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card