I am loadbalancing two squid proxies behind a pair of CSS 11503 in box-to-box redundancy mode. Somewhat regularely SSL connections (https) started by Internet Explorer hang. These connections are mostly file transfers, and should complete in 1-3 minutes. The problem happens with both vip addresses. There is no problem with http requests. There is no problem if one of the IP adresses of the squid proxies is entered in the configuration of the Internet Explorer instead of one of the vips. I can't find any messages on the logging host, which relate to the problem. The ssl connections do not terminate on the CSS or the squid, but are proxied to the target server. The network looks like this (simplified): personal computers running IE | router (Cisco) | switch --- CSS | proxies | Firewall | Internet The configuration details (full configuration is appended as file) flow permanent port1 135 flow permanent port2 6001 flow permanent port4 60001 flow permanent port5 60000 flow permanent port3 24804 flow permanent port6 3268 flow permanent port7 3269 !*** the above block is due to some other loadbalancing rules on the CSS ip route 0.0.0.0 0.0.0.0 192.0.2.65 1 circuit VLAN1 redundancy ip address 192.0.2.1 255.255.255.248 no redirects ip address 192.0.2.68 255.255.255.192 no redirects service proxy1-script ip address 192.0.2.84 keepalive frequency 3 keepalive retryperiod 3 keepalive type script ap-kal-squid "192.0.2.84 8080 2000" active service proxy2-script ip address 192.0.2.85 keepalive frequency 3 keepalive retryperiod 3 keepalive type script ap-kal-squid "192.0.2.85 8080 2000" active owner customer-h content proxy1-main flow-reset-reject flow-srvdown-reset flow-timeout-multiplier 225 add service proxy1-script vip address 192.0.2.78 protocol tcp primarySorryServer proxy2-script active content proxy2-content flow-reset-reject flow-srvdown-reset vip address 192.0.2.79 protocol tcp add service proxy2-script primarySorryServer proxy1-script active group heycom-proxy2-content vip address 192.0.2.79 active The loadbalancer IP 192.0.2.68 is the gateway on the squid proxies for the IPs of the personal computers running IE. What I have already tried is: - replace the hardware of the CSS - update the firmware version from 08.20.4.02 to 08.20.5.01 .
... View more
