We have a pair of Active/Standby ACE modules doing SSL offload with 10K conn/s licenses. These has been working fine for over a year but recently
are getting occasionaly failures. When establishing a connection to the VIP you get a full TCP handshake and then are disconnected immediately. N
certificate is passed, and the "show resource usage" counters do not indicate that is is denied due to license issues. Nothing is logged. "show stats crypto server" does show a failed negotiation, and some of the show np 1 me-stat command indicate failures, though I'm having trouble interpreting the results. The only suspicious this I can see is that in "show np 1 me-stat -scrypto" nitrox_contexts_in_use seems to flutter between 99,999 and 100,000 during the times we are having the problems).
The conn/s isn't going much about 800 (occasionally bursting up to 1200). None of the show resource usage stats seems to be anywhere near capacity (the boxes do about 500Mb/s peak, fairly continuous. system memory looks fine too.
We are running A2(2.3), I couldn't see anything in the 2.4 release notes that indicated any known related issues.
Any help would be much appreciated. I can put output up here, but I'll have to sanitize it first (our "security" folks insist).