05-08-2004 08:21 PM
I've migrated SSL from 2 SCA's load balnced with a CSS11503 to just the CSS with the onboard encryption engine and have noticed increased latency when the initial ssl connection is set up. The configuartion hasnt changed apart from the SSL config. Once the session is up it seems ok.
Any ideas?
05-10-2004 07:14 AM
Looks like I spoke too soon, some clients have been reporting pages not found after negotiating an SSL session. The main problem though is the server seeing timeout errors from clients probably due to the latency with using the on board SSL. I've had to revert back to using the SCA's which run fine.
**SSL PROXY LIST
ssl-proxy-list ssl-proxy-list
ssl-server 40
ssl-server 40 vip address 10.117.247.40
ssl-server 40 cipher rsa-with-rc4-128-md5 10.117.247.40 1040 weight 10
ssl-server 40 cipher rsa-with-3des-ede-cbc-sha 10.117.247.40 1040 weight 8
ssl-server 40 cipher rsa-with-rc4-128-sha 10.117.247.40 1040 weight 8
ssl-server 40 cipher rsa-export-with-rc4-40-md5 10.117.247.40 1040
ssl-server 40 rsacert secure-ass
ssl-server 40 rsakey secure1024-ass
active
***SERVICE
service ssl_negotiate
type ssl-accel
slot 2
add ssl-proxy-list ssl-proxy-list
keepalive type none
active
service web_1_commercial
protocol tcp
port 80
ip address 10.117.246.93
keepalive type tcp
keepalive port 80
active
service web_1_http(s)
protocol tcp
port 81
ip address 10.117.246.93
keepalive type tcp
keepalive port 81
active
service web_1_redirect
type redirect
protocol tcp
port 80
ip address 10.117.246.93
keepalive type tcp
keepalive port 80
active
service web_1_tpw_sc
protocol tcp
port 80
ip address 10.117.246.93
keepalive type tcp
keepalive port 80
string ujcs228b
active
service web_2_commercial
protocol tcp
port 80
ip address 10.117.246.94
keepalive type tcp
keepalive port 80
active
service web_2_http(s)
protocol tcp
port 81
ip address 10.117.246.94
keepalive type tcp
keepalive port 81
active
service web_2_redirect
type redirect
protocol tcp
port 80
ip address 10.117.246.94
keepalive type tcp
active
service web_1_tpw_sc
protocol tcp
port 80
ip address 10.117.246.93
keepalive type tcp
keepalive port 80
string u6ci2g8b
active
service web_2_commercial
protocol tcp
port 80
ip address 10.117.246.94
keepalive type tcp
keepalive port 80
active
service web_2_http(s)
protocol tcp
port 81
ip address 10.117.246.94
keepalive type tcp
keepalive port 81
active
service web_2_redirect
type redirect
protocol tcp
port 80
ip address 10.117.246.94
keepalive type tcp
active
service web_2_tpw_sc
protocol tcp
port 80
ip address 10.117.246.94
keepalive type tcp
keepalive port 80
string ufm3r34m
active
************ OWNER
owner www
content commercial
vip address 10.117.247.40
balance leastconn
protocol tcp
port 80
url "//www.website.com/*"
add service web_1_commercial
add service web_2_commercial
active
content http_to_https
vip address 10.117.247.40
add service web_1_http(s)
add service web_2_http(s)
balance leastconn
protocol tcp
port 80
url "//secure.website.com/*"
active
content https_to_http
vip address 10.117.247.40
balance leastconn
protocol tcp
port 1040
url "//www.website.com/*"
add service web_1_http(s)
add service web_2_http(s)
active
content ip_match
vip address 10.117.247.40
balance leastconn
protocol tcp
port 80
url "/*"
add service web_1_http(s)
add service web_2_http(s)
active
content tpw_ssl_local
add service ssl_negotiate
vip address 10.117.247.40
protocol tcp
port 443
application ssl
active
content transactional
vip address 10.117.247.40
url "//secure.website.com/*"
balance leastconn
advanced-balance cookies
add service web_1_tpw_sc
add service web_2_tpw_sc
protocol tcp
port 1040
string prefix "JSESSIONID"
string skip-length 29
string process-length 8
string range 1 to 200
active
05-17-2004 01:49 PM
With just the configuration, there really isn't a good way to determine the cause of the delay or page not found. For that you should probably get sniffer traces and possibly ssldump. Are you using urlrewrite on the SCA? There might be other issues due to idle flows, etc.
05-19-2004 03:42 AM
Hi,
may you try to disable the TCP Nagle, choos the SSL unclean-shutdown, enable the Keepalive Mode für HTTP Sessions on your Server and try to vary with the ssl-qeue Delay.
If your Clients are microsoft, disable the TCP Nagle on both sides.
Enable the unclean Shutdown
Alter the SSL-Queue Delay to 0.
Best Regards
07-05-2004 12:51 PM
Cisco came back with the altering the queue delay to 0 which seemed to do the trick SSL was much quicker. Testing went ok but in production we still saw some clients on dialup getting page not founds or the server thinking that the client had ended the session. This behaviour is not seen when introducing the SCA's.
I will try disabling Nagle and enabling unclean shutdown. Many thanks for the post sorry I havent been able to get back to the board earlier.
07-05-2004 11:22 PM
Hello Tim,
there is also a bug fixed in 7.20 405 where the backendconnection gets passed in cleartext to the client.
This occurs only, when the TCP Port of your Contentrule does not match the Service Port you configured.
Best Regards
Sven Butzek
05-19-2004 11:26 AM
Thanks for the reply, I've got a tac case open so I'll let you know how I get on. I'm not doing url rewrite on the SCA in fact the only difference is the ssl being terminated on the onboard engine instead of the SCA. Traces have shown time waits over 2 seconds with the onboard, but time waits have also been seen with the SCA but only up to 2 secs.
05-19-2004 04:47 AM
Hello,
Can you help me please?. I am having problem with my content engine after an upgrade. The pages seems to be very slow openning up and the performance is unbearable very slow. please would you know why this is occurring?
Thanks in advance.
Tony
05-19-2004 09:09 AM
Tony,
There really isn't enough information to go on.
You may need to look at sniffer traces to determine the problem. Generally that is what we do to determine the cause of delays. The main cause is generally due to slowness or non response from the server in the CE to server connection.
You should open a TAC case for this.
Michael Voight
CSE
05-19-2004 09:09 AM
Tony,
There really isn't enough information to go on.
You may need to look at sniffer traces to determine the problem. Generally that is what we do to determine the cause of delays. The main cause is generally due to slowness or non response from the server in the CE to server connection.
You should open a TAC case for this.
Michael Voight
CSE
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide