03-24-2010 04:38 PM
Hi,
The CSS is running version 8.10.1.06 without SSL Module
In my current setup the the Client to server Authentication is using SSL client certificate authentication and the servers are behind the load balancers
There are four servers behind the CSS ,the problem reported by the APP team as 10% of transaction are getting failed with error message - SSL peer shutdown
The counfigurations on the CSS.
Content CSI
vip address 1.1.1.1
port 8889
protocol tcp
application ssl
advanced-balance ssl
flow-timeout-multiplier 10
sticky-inact-timeout 10
add service serv1
add service serv2
add service serv3
add service serv4
active
Group CSI
vip address 1.1.1.10
add destination service serv1
add destination service serv2
add destination service serv3
add destination service serv4
flow-timeout-multiplier 10
active
Serive serv1
ip address 10.1.1.10
keepalive type tcp
keepalive port 8889
active
Is anybody experience the same problem with Cisco CSS ?
Any recommend configurations ?
Thanks in Advance
03-29-2010 05:02 AM
Try to increase the flow-timeout-mutliplier to 50.
Currently you have 10 x 16 = 160 sec idle timeout.
If your connections stays idle longer than that, it is being removed by the CSS and a RESET will be sent to the client and server which will complain that the other party closed/shutdown the connection.
So, increasing the timeout-multiplier should help.
Be aware, that with a value of 50, there are still connections that could timeout. But there should be less.
You can increase the multiplier to higher values.
Just make sure your average number of connections does not get to close to the limit.
gilles.
03-29-2010 07:52 PM
Gilles,
Thanks for the respone.
I did take the sniffer trace and the connections are closing Gracefully and no resets are send by the CSS.
It seems there are no issues when the client access the server directly bypassing the CSS .
For the failed connections through the CSS- they see an error SSL peer shutdown error message.
Whatelse can go wrong with the CSS ?
I am planning to do the config changes on the CSS to make the content configurations as Layer 4 only (Removing the Application SSL from the content)
Please let me know your thoughts on the configuration.
Regards,
Rajesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide