Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

SSL Client certificate Authentication


The CSS is running version without SSL Module

In my current setup the the Client to server Authentication is using SSL client certificate authentication and the servers are behind the load balancers

There are four servers behind the CSS ,the problem reported by the APP team as 10% of transaction are getting failed with error message - SSL peer shutdown

The counfigurations on the CSS.

Content CSI

vip address

port 8889

protocol tcp

application ssl

advanced-balance ssl

flow-timeout-multiplier 10

sticky-inact-timeout 10

add service serv1

add service serv2

add service serv3

add service serv4


Group CSI

vip address

add destination service serv1

add destination service serv2

add destination service serv3

add destination service serv4

flow-timeout-multiplier 10


Serive serv1

ip address

keepalive type tcp

keepalive port 8889


Is anybody experience the same problem with Cisco CSS ?

Any recommend configurations ?

Thanks in Advance

Cisco Employee

Re: SSL Client certificate Authentication

Try to increase the flow-timeout-mutliplier to 50.

Currently you have 10 x 16 = 160 sec idle timeout.

If your connections stays idle longer than that, it is being removed by the CSS and a RESET will be sent to the client and server which will complain that the other party closed/shutdown the connection.

So, increasing the timeout-multiplier should help.

Be aware, that with a value of 50, there are still connections that could timeout.  But there should be less.

You can increase the multiplier to higher values.

Just make sure your average number of connections does not get to close to the limit.


New Member

Re: SSL Client certificate Authentication


Thanks for the respone.

I did take the sniffer trace and the connections are closing Gracefully and no resets are send by the CSS.

It seems there are no issues when the client access the server directly bypassing the CSS .

For the failed connections through the CSS- they see an error SSL peer shutdown error message.

Whatelse can go wrong with the CSS ?

I am planning to do the config changes on the CSS to make the content configurations as Layer 4 only (Removing the Application SSL from the content)

Please let me know your thoughts on the configuration.



CreatePlease to create content