ACE SSL failing intermittently.

Unanswered Question
Jul 6th, 2010

Hi All,

  We have a pair of Active/Standby ACE modules doing SSL offload with 10K conn/s licenses. These has been working fine for over a year but recently

are getting occasionaly failures. When establishing a connection to the VIP you get a full TCP handshake and then are disconnected immediately. N

certificate is passed, and the "show resource usage" counters do not indicate that is is denied due to license issues. Nothing is logged. "show stats crypto server" does show a failed negotiation, and some of the show np 1 me-stat command indicate failures, though I'm having trouble interpreting the results. The only suspicious this I can see is that in "show np 1 me-stat -scrypto" nitrox_contexts_in_use seems to flutter between 99,999 and 100,000 during the times we are having the problems).

  The conn/s isn't going much about 800 (occasionally bursting up to 1200). None of the show resource usage stats seems to be anywhere near capacity (the boxes do about 500Mb/s peak, fairly continuous. system memory looks fine too.

  We are running A2(2.3), I couldn't see  anything in the 2.4 release notes that indicated any known related issues.

  Any help would be much appreciated. I can put output up here, but I'll have to sanitize it first (our "security" folks insist).

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Wed, 07/07/2010 - 00:16

We will need 2 show tech capture before and after such an issue (as close as possible) so that we can see which counters are incrementing.


tristan.colgate... Fri, 07/09/2010 - 03:02

We actually tracked this down to issues with concurrent sessions. We were hitting the 200,000 concurrent connections limit on the module. TAC have confirmed that this limit is hard and there is no work around. We have moved this particular traffic back onto the servers. The traffic causing the issue was actually Outlook Anywhere. It holds open large numbers of HTTPS connections per client, so although our TPS is relatively low, our concurrency is unusually high.

Unfortunately "show resource usage" doesn't include a stat for concurrent connection (probably becuase it's not a controllable resource). show np 1 me-stat -scrpyto shows you the number of active nitrox contexts, the limit is 100,000 per NP, affter that, connection will get disconnected and "failed negotiations" will be registered.


This Discussion