Urgent Please.... Help on https issue

Unanswered Question
Jan 31st, 2008


I have CSS11501, i have problem during accessing the server with the VIP only when using https, ssl certificates has been installed in CSS. That is i tried with http only and it worked fine. but when use https im getting a session expired all the time

i checked also with IE and Mozilla and found out both are the same message always "Session Expired" but noticed with Mozilla always the behavoiur is much much better !!

there is no no load-balancing, and i was checking with bot set of servers PUSH/PULL and GOTBOFE (as attached file shows) and on both im getting the same problem !!

Please Can you advice !!!



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Thu, 01/31/2008 - 01:07


what do you mean by session expired ?

Are you able to see the page, but after a while, when you click on a link you get a session expired ?

There is 4 minutes idle timeout on the ssl-module.

Virtual TCP Inactivity TO: 240 Server TCP Inactivity TO: 240

After that, the connection is removed.

Not sure if that is the problem.

Maybe get us a sniffer trace showing the problem and explain what you see and do before getting the error.


hassan_oudeh Fri, 02/01/2008 - 09:53


thanks for your response...

i found where the problem ...

there was some packests being sent from thr CSS to the server which exceed the m aximum segment size. and the firwall was blocking these traffice :) from the loggin message from the ASA firewall i was seing exceed-mss

after 3 days of troublshooting finally we got it :)

anyways thanks

Oscar Cardiel Wed, 11/25/2009 - 00:29

Hi Hassan,

I have just the same issue. How do you solved it?, did you change the MSS size in the ASA straightly or in CSS with he commands “flow tcp-mss ..” and “tcp-ip fragment enable”.

Thanks you,


hassan_oudeh Wed, 11/25/2009 - 00:34


Actually that was very long time.

I really forgot the commands and I don't have access to the device.

But try enable the logging on the ASA and see what is happining exaclty in your case.


Oscar Cardiel Wed, 11/25/2009 - 01:01

yep, that's a pity!, I will keep working with in it. Thanks a million!




This Discussion