cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1180
Views
0
Helpful
4
Replies

CSS: Problems connecting to https URL from Vista PC

mduhra
Level 1
Level 1

Hi,

I have several users located in India trying to connect to a VIP in Canada over an https link and experience issues connecting (local users can connect fine to this URL from Vista PC's). The same URL is accessible from India on Win2k PC's.The Vista PC and server successfully established a TCP connection and also start to exchange SSL client/server hellos. It's after this exchange of SSL hellos that I see IP fragmentation and other lost packets messages.Doing a tracert from the PC to the CSS VIP and vice-versa shows 18 hops, so wonder if I'm experiencing some sort of time-out issue, but why only for Vista?

I've attached (.bmp) the relavant lines from a wireshark capture from a Vista PC.

PC: 172.16.225.47

VIP: 192.168.16.77

Pings to the users gateway from Canada to India:

H:\>ping 172.16.224.1 -t

Ping statistics for 172.16.224.1:

    Packets: Sent = 270, Received = 270, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 344ms, Maximum =  365ms, Average =  345ms

Any ideas on why the communication fails after the SSL hellos on the Vista PC's?

Thank you in advance!

Manjit

1 Accepted Solution

Accepted Solutions

My personal choice would be 8.20.4.02.

There is no compatibility concern except if you want the 2 devices to be configured  in box-to-box redundancy.

In this case, I would recommend to have the same version on both CSS.

CSS11503(config)# flow tcp-window-scale ?               Integer value(Range: 0-14)   CSS11503(config)# no flow tcp-window-scale    tcp-window-scale    Reset TCP window scale shift count to default (not sent)       This configuration parameter related to the spoofed TCP SYN/ACK sent     back to the client. If this new configuration parameter is set the     CSS will insert the TCP WS option in the TCP SYN/ACK back to the client.

So, you need to set the same WS as what is configured on the server.

Gilles.

View solution in original post

4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

Manjit,

most probably a Window Scaling option that is now being used by default by Microsoft Vista.

CSS is not using it by default.

CSCsk92868    HTTP   requests fail from Windows Vista client

CSCsv12580:  Allow the propagation of TCP Window Scale to be configurable


A nice upgrade to the most recent version should take care of this.

Gilles.

Hi Gilles,

I have a couple more questions:

Q1. I have 8.10.1.06 running, would you recommend going to 8.20.4.02 or 8.20.3.03?
Q2. I have 8.20.3.03 running on a few other CSSes, would this cause any compatibility issues between the verisions if I go with 8.20.4.02?
Q3. What is the integer value in the "flow tcp-window-scale" command do and how do I know what to set it to?

CSS11501(config)# flow tcp-window-scale ?
             Integer value(Range: 0-14)

Thanks again for your excellent advice!
Manjit

My personal choice would be 8.20.4.02.

There is no compatibility concern except if you want the 2 devices to be configured  in box-to-box redundancy.

In this case, I would recommend to have the same version on both CSS.

CSS11503(config)# flow tcp-window-scale ?               Integer value(Range: 0-14)   CSS11503(config)# no flow tcp-window-scale    tcp-window-scale    Reset TCP window scale shift count to default (not sent)       This configuration parameter related to the spoofed TCP SYN/ACK sent     back to the client. If this new configuration parameter is set the     CSS will insert the TCP WS option in the TCP SYN/ACK back to the client.

So, you need to set the same WS as what is configured on the server.

Gilles.

Hi,

I have a few more questions, if you don't mind.

Q1. Is changing the tcp-window-scale value a Global change, does it effect all content rules on the CSS?

Q2. I'm still trying to understand the value and it relates to the window size in bytes.

for example window size of

1 = 1024bytes ?

2 = 2048bytes ?

...

14 = ??? bytes

How exactly is this calculated ??

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: