Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
678
Views
0
Helpful
2
Replies

SSL Client certificate Authentication

rajesh.perumalla
Level 1
Level 1

‎03-24-2010 04:38 PM

Hi,

The CSS is running version 8.10.1.06 without SSL Module

In my current setup the the Client to server Authentication is using SSL client certificate authentication and the servers are behind the load balancers

There are four servers behind the CSS ,the problem reported by the APP team as 10% of transaction are getting failed with error message - SSL peer shutdown

The counfigurations on the CSS.

Content CSI

vip address 1.1.1.1

port 8889

protocol tcp

application ssl

advanced-balance ssl

flow-timeout-multiplier 10

sticky-inact-timeout 10

add service serv1

add service serv2

add service serv3

add service serv4

active

Group CSI

vip address 1.1.1.10

add destination service serv1

add destination service serv2

add destination service serv3

add destination service serv4

flow-timeout-multiplier 10

active

Serive serv1

ip address 10.1.1.10

keepalive type tcp

keepalive port 8889

active

Is anybody experience the same problem with Cisco CSS ?

Any recommend configurations ?

Thanks in Advance

Labels:
0 Helpful
2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

‎03-29-2010 05:02 AM

Try to increase the flow-timeout-mutliplier to 50.

Currently you have 10 x 16 = 160 sec idle timeout.

If your connections stays idle longer than that, it is being removed by the CSS and a RESET will be sent to the client and server which will complain that the other party closed/shutdown the connection.

So, increasing the timeout-multiplier should help.

Be aware, that with a value of 50, there are still connections that could timeout.  But there should be less.

You can increase the multiplier to higher values.

Just make sure your average number of connections does not get to close to the limit.

gilles.

0 Helpful

rajesh.perumalla
Level 1
Level 1
In response to Gilles Dufour

‎03-29-2010 07:52 PM

Gilles,

Thanks for the respone.

I did take the sniffer trace and the connections are closing Gracefully and no resets are send by the CSS.

It seems there are no issues when the client access the server directly bypassing the CSS .

For the failed connections through the CSS- they see an error SSL peer shutdown error message.

Whatelse can go wrong with the CSS ?

I am planning to do the config changes on the CSS to make the content configurations as Layer 4 only (Removing the Application SSL from the content)

Please let me know your thoughts on the configuration.

Regards,

Rajesh

0 Helpful
Customers Also Viewed These Support Documents