SSL cookie sticky setting on CSM = Large amout of TCP retransmissions

hoffa2000 · ‎02-23-2007

Greetings

I've been troubleshooting a problem for some time now. We have a Cat6500 with Sup720, CSM version 4.2.5 and SSL version 2.1(10). My users are accessing our intranet like this;

Client Vlan -> FWSM -> CSM Vlan -> SSL ?> CSM -> Intranet servers. The communication between the CSM and the SSL is layer2 but everything else is routed layer 3.

When I use Ethereal to sniff the CSM/SSL Vlan I notice some occasional TCP-out-of-order messages, around 1 per 10-20 packets. But when I turn on SSL cookie stickiness on the virtual server that responds to HTTPS traffic from the users and directs this to the SSL modules I notice a sharp increase in the amount of TCP retransmissions and out-of-order messages. They increases to around 4-7 per 10 packets. At the same time as this is happening I get reports of users getting ?page cannot be displayed? when their browsers are sending POST-messages to the intranet.

I?ve read the release note for SSL module 2.1(10) and noticed that this was an issue that was supposed to be solved. I don?t however think this is related since everything is fine until I turn on SSL cookie sticky on the CSM

Any ideas

Regards

Fredrik Hofgren

brispin · ‎03-01-2007

CSM header or cookie insert causes a TCP checksum error when the CSM operates under a heavy load (> 1000 conn/sec).The CSM may incorrectly set the TCP checksum, causing delays due to retransmission of the packets. This checksum error appears on both the client side and the server side. This situation occurs only with a virtual server using a cookie insert sticky group or a header insert function.