Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Broken SSL sessions on a CSS11503

We are using a CSS11503 without SSL module and S/W-Version 7.20 Build 104.

We define the following content rule:

content citrix-csg.oekb.at_https

add service citrix-csg.oekb.at_https_1

add service citrix-csg.oekb.at_https_2

vip address 143.245.6.101

protocol tcp

port 443

balance srcip

application ssl

active

We see that SSL sessions from a client to the vip address 143.245.6.101 are interrupted after a while (some after 10 minutes, others later).

A network sniffer trace, where the sniffer is located at the CSS UPLINK near the firewall , tells us:

- while the SSL session is up, there is a regular SSL network flow from the CSS VIP address to the client.

- in cases where the session is interrupted, we only see some packets directly sent by the server behind the CSS VIP address to the client!!??

It seems that the CSS box stops after a while (e.g. 10 minutes) to switch the packets due to the content rule. Instead of this the packets are routed as if there would not be any content rule.

Do you have any idea, what we can do?

Thank you for your help

Franz

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Broken SSL sessions on a CSS11503

may I ask you to mark the thread as solved so other people only looking at solution can read this discussion.

Glad to see the problem is solved.

Thanks,

Gilles.

7 REPLIES
rob
New Member

Re: Broken SSL sessions on a CSS11503

Hi, I could be mistaken but shoudnt you configure sticky ip so the tcp sessions remain on the box especially for ssl connections

Try the following and see what happens

Content

content citrix-csg.oekb.at_https

add service citrix-csg.oekb.at_https_1

add service citrix-csg.oekb.at_https_2

vip address 143.245.6.101

sticky-mask 255.255.0.0

advanced-balance sticky-scrip

protocol tcp

port 443

application ssl

active

New Member

Re: Broken SSL sessions on a CSS11503

Hi,

I defined the content rule in the following way - analog to an configuration example by cisco -

content citrix-csg.oekb.at_https

add service citrix-csg.oekb.at_https_1

add service citrix-csg.oekb.at_https_2

vip address 143.245.6.101

application ssl

advanced-balance ssl

protocol tcp

port 443

url "/*"

balance aca

active

In addition I suspended the service

citrix-csg.oekb.at_https_2!

The result of this test scenario was the same as before: after a while the SSL session dies ...

Thank you for your first aid,

Franz

Cisco Employee

Re: Broken SSL sessions on a CSS11503

most probably the connection stayed idle for at least 16 seconds and it was then garbage collected and RST by the CSS.

Try the command 'flow-timeout-multiplier 10' under the content rule configuration and see if this improve the situation.

If it improves but does not solve completely, increase the value from 10 to 50.

Gilles.

New Member

Re: Broken SSL sessions on a CSS11503

Hi Gilles,

thank you for your hint. Using the command

'flow-timeout-multiplier 5'

under the content rule configuration seems to solve our problem with broken SSL sessions.

Thank you

Franz

Cisco Employee

Re: Broken SSL sessions on a CSS11503

may I ask you to mark the thread as solved so other people only looking at solution can read this discussion.

Glad to see the problem is solved.

Thanks,

Gilles.

New Member

Re: Broken SSL sessions on a CSS11503

I have the same issue on a 11050 running 6.10 build 4 and the flow-timeoute command doesn't exist. is there anything I can use?

Thanks

Tony

Cisco Employee

Re: Broken SSL sessions on a CSS11503

try the global config command 'flow port1 443 timeout '.

Regards,

Gilles.

234
Views
0
Helpful
7
Replies
CreatePlease login to create content