I have an issue with a new application on my CSS 11500. There are three interfaces on the CSS, an internet I/F, a webfarm I/F and an inside I/F.
The CSS also has an SSL engine installed.
Traffic arrives at the internet I/F and is rung through the SSL before hitting a content rule which makes a clear text backend connection to a webserver on the webfarm. That server then talks to an application server on the inside I/F using a non standard port.
The problem I have is with timeouts. The threeway handshake is being established ok between the webserver and the app server but because the appserver takes a long time to process the first reply (around 70 seconds) I think the CSS is tearing down the flow before the app server is ready to send.
On the webserver vlan is an ACL to allow this traffic to the appserver but it is only a permit TCP acl like this...
CLAUSE XX PERMIT TCP NQL somename DESTINATION NQL someothername RANGE YYYY-YYYX
When i do 'show ACL' for this clause I can see content hits on it. I'm a bit confused here as this acl has no 'content' parameter specified I would have thought it would show router hits ?
On the original inbound ACL (from the internet I/F) I have a flow timeout multiplier of 20 configured. But this should be a seperate flow ?
What I want to know is this...
Given that there are content hits on this clause is the flowtimeout 20*16 or the default 16 seconds ?
It would seem to me that it should be 16 seconds but im confused because of the content hits. If it is 16 seconds, how can I change it to say 2 mins without using the flow permanent command ?
Any light shed on this would be grately appreciated.