CSS cookie with SSL

cebetant · ‎02-27-2006

Connectivity hang when inserting an arrowpoint cookie in the decrypted traffic flow (using SCA). We use one arm architecture with CSS 11150. From the trace it looks like the CSS cannot insert the cookie and reset the connection after a while.

Gilles Dufour · ‎02-27-2006

we will need css config and sniffer traces to understand the problem.

You can attach them here or send them to gdufour@cisco.com

cebetant · ‎02-28-2006

Here are the config

Gilles Dufour · ‎02-28-2006

your SCA config does not match the CSS.

The CSS forwards the secure traffic to ip:port = 141.122.131.9:444.

Your SCA listens on port 446 [not 444] and it is supposed to forward the decrypted traffic to 141.122.180.254:90 which is not a CSS vip.

Gilles.

cebetant · ‎02-28-2006

Sorry, I mix environment

Gilles Dufour · ‎02-28-2006

configs look good.

what about the trace ?

Did capture it between CSS and SCA ?

When do you see the reset ? Immediately ? After always the same amount of time ? Randomly ?

do you see the cookie inserted by the CSS in the server response ?

Thanks,

Gilles.

cebetant · ‎03-01-2006

The capture is between the CSS and the SCA.

The CSS send multiple time the first Get and send the RST when it give up. We never go further than that. The server response is not sent by the CSS

cebetant · ‎03-01-2006

Find out the issue. As the destination server are not on directely attached interface the packets went out by a different interface than the return traffic. Seems that a flow include physical interface.