Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSS: Problems connecting to https URL from Vista PC

Hi,

I have several users located in India trying to connect to a VIP in Canada over an https link and experience issues connecting (local users can connect fine to this URL from Vista PC's). The same URL is accessible from India on Win2k PC's.The Vista PC and server successfully established a TCP connection and also start to exchange SSL client/server hellos. It's after this exchange of SSL hellos that I see IP fragmentation and other lost packets messages.Doing a tracert from the PC to the CSS VIP and vice-versa shows 18 hops, so wonder if I'm experiencing some sort of time-out issue, but why only for Vista?

I've attached (.bmp) the relavant lines from a wireshark capture from a Vista PC.

PC: 172.16.225.47

VIP: 192.168.16.77

Pings to the users gateway from Canada to India:

H:\>ping 172.16.224.1 -t

Ping statistics for 172.16.224.1:

    Packets: Sent = 270, Received = 270, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 344ms, Maximum =  365ms, Average =  345ms

Any ideas on why the communication fails after the SSL hellos on the Vista PC's?

Thank you in advance!

Manjit

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: CSS: Problems connecting to https URL from Vista PC

My personal choice would be 8.20.4.02.

There is no compatibility concern except if you want the 2 devices to be configured  in box-to-box redundancy.

In this case, I would recommend to have the same version on both CSS.

CSS11503(config)# flow tcp-window-scale ?               Integer value(Range: 0-14)   CSS11503(config)# no flow tcp-window-scale    tcp-window-scale    Reset TCP window scale shift count to default (not sent)       This configuration parameter related to the spoofed TCP SYN/ACK sent     back to the client. If this new configuration parameter is set the     CSS will insert the TCP WS option in the TCP SYN/ACK back to the client.

So, you need to set the same WS as what is configured on the server.

Gilles.

4 REPLIES
Cisco Employee

Re: CSS: Problems connecting to https URL from Vista PC

Manjit,

most probably a Window Scaling option that is now being used by default by Microsoft Vista.

CSS is not using it by default.

CSCsk92868    HTTP   requests fail from Windows Vista client

CSCsv12580:  Allow the propagation of TCP Window Scale to be configurable


A nice upgrade to the most recent version should take care of this.

Gilles.

New Member

Re: CSS: Problems connecting to https URL from Vista PC

Hi Gilles,

I have a couple more questions:

Q1. I have 8.10.1.06 running, would you recommend going to 8.20.4.02 or 8.20.3.03?
Q2. I have 8.20.3.03 running on a few other CSSes, would this cause any compatibility issues between the verisions if I go with 8.20.4.02?
Q3. What is the integer value in the "flow tcp-window-scale" command do and how do I know what to set it to?

CSS11501(config)# flow tcp-window-scale ?
             Integer value(Range: 0-14)

Thanks again for your excellent advice!
Manjit

Cisco Employee

Re: CSS: Problems connecting to https URL from Vista PC

My personal choice would be 8.20.4.02.

There is no compatibility concern except if you want the 2 devices to be configured  in box-to-box redundancy.

In this case, I would recommend to have the same version on both CSS.

CSS11503(config)# flow tcp-window-scale ?               Integer value(Range: 0-14)   CSS11503(config)# no flow tcp-window-scale    tcp-window-scale    Reset TCP window scale shift count to default (not sent)       This configuration parameter related to the spoofed TCP SYN/ACK sent     back to the client. If this new configuration parameter is set the     CSS will insert the TCP WS option in the TCP SYN/ACK back to the client.

So, you need to set the same WS as what is configured on the server.

Gilles.

New Member

Re: CSS: Problems connecting to https URL from Vista PC

Hi,

I have a few more questions, if you don't mind.

Q1. Is changing the tcp-window-scale value a Global change, does it effect all content rules on the CSS?

Q2. I'm still trying to understand the value and it relates to the window size in bytes.

for example window size of

1 = 1024bytes ?

2 = 2048bytes ?

...

14 = ??? bytes

How exactly is this calculated ??

807
Views
0
Helpful
4
Replies