SSL Client certificate Authentication

Unanswered Question
Mar 24th, 2010
User Badges:

Hi,


The CSS is running version 8.10.1.06 without SSL Module


In my current setup the the Client to server Authentication is using SSL client certificate authentication and the servers are behind the load balancers


There are four servers behind the CSS ,the problem reported by the APP team as 10% of transaction are getting failed with error message - SSL peer shutdown


The counfigurations on the CSS.


Content CSI

vip address 1.1.1.1

port 8889

protocol tcp

application ssl

advanced-balance ssl

flow-timeout-multiplier 10

sticky-inact-timeout 10

add service serv1

add service serv2

add service serv3

add service serv4

active


Group CSI

vip address 1.1.1.10

add destination service serv1

add destination service serv2

add destination service serv3

add destination service serv4

flow-timeout-multiplier 10

active


Serive serv1

ip address 10.1.1.10

keepalive type tcp

keepalive port 8889

active



Is anybody experience the same problem with Cisco CSS ?


Any recommend configurations ?


Thanks in Advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Mon, 03/29/2010 - 05:02
User Badges:
  • Cisco Employee,

Try to increase the flow-timeout-mutliplier to 50.

Currently you have 10 x 16 = 160 sec idle timeout.

If your connections stays idle longer than that, it is being removed by the CSS and a RESET will be sent to the client and server which will complain that the other party closed/shutdown the connection.


So, increasing the timeout-multiplier should help.


Be aware, that with a value of 50, there are still connections that could timeout.  But there should be less.

You can increase the multiplier to higher values.

Just make sure your average number of connections does not get to close to the limit.


gilles.

rajesh.perumalla Mon, 03/29/2010 - 19:52
User Badges:

Gilles,


Thanks for the respone.


I did take the sniffer trace and the connections are closing Gracefully and no resets are send by the CSS.


It seems there are no issues when the client access the server directly bypassing the CSS .


For the failed connections through the CSS- they see an error SSL peer shutdown error message.


Whatelse can go wrong with the CSS ?


I am planning to do the config changes on the CSS to make the content configurations as Layer 4 only (Removing the Application SSL from the content)


Please let me know your thoughts on the configuration.


Regards,

Rajesh

Actions

This Discussion