Topic
  • 6 replies
  • Latest Post - ‏2009-03-13T14:06:29Z by steadye
steadye
steadye
53 Posts

Pinned topic SSL Alerts causing timeouts on XS40

‏2009-03-09T20:24:58Z |
I have created an xml-firewall with an ssl proxy-profile with identification and validation credentials.

This works fine for 90% of our customers. Only some customers get strange timeouts after a fixed amounts of requests.
The customer sets up an SSL connection. And starts sending xml messages, after for example 53 messages they seem to get an ssl alert from the XS40 and the connection is disconnected.
When setup a new connection again, after exactly the same number of messages they get the same issue.
Another strange thing is when i disable the multistep probe they can sent 75 messages instead of 53 and then get the timeout. Also then connect again and again 75 messages can be sent.
It can be 75 messages in 5 minutes but also after 75 messages in 20 minutes they get the reset.
I can't simulate this with own software. Al our timeout settings are set to 1800 seconds so that should not be the problem. As mentioned only a couple of party's seem to have this problem on the same xml-firewall rule.

I don't have any idea anymore what this could cause... because a working ssl connection is made and messages can be sent. Other customer are sending for example 200 messages in 5 minutes without error...

Sw version 3.7.1.5

Any Ideas

THX.
Updated on 2009-03-13T14:06:29Z at 2009-03-13T14:06:29Z by steadye
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: SSL Alerts causing timeouts on XS40

    ‏2009-03-10T00:12:23Z  
    What timeouts are set to 1800 seconds? Are all the clients sending the same size messages?

    Corey
  • steadye
    steadye
    53 Posts

    Re: SSL Alerts causing timeouts on XS40

    ‏2009-03-10T09:38:54Z  
    What timeouts are set to 1800 seconds? Are all the clients sending the same size messages?

    Corey
    Corey some settings wich maybe involved:

    In the SSL Proxy profile:
    Server-side Session Cache Timeout 3600 seconds
    Server-side Session Cache Size 100

    Under Xml-firewall HTTP Options:

    HTTP Timeout 1800 seconds
    HTTP Persistent Timeout 1800 seconds
    HTTP Persistent Connections on

    Under XML Manager:
    XSL Cache size 256
    XML Parser:
    XMl Bytes scanned: 35000000

    Under User Agent:
    Timeout 1800

    Probably you need to know some more settings please let me know.
    Strange thing is when disabling the probe some more messages can be sent but als an SSL alert is raised.

    thx Eddie
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: SSL Alerts causing timeouts on XS40

    ‏2009-03-12T06:42:17Z  
    • steadye
    • ‏2009-03-10T09:38:54Z
    Corey some settings wich maybe involved:

    In the SSL Proxy profile:
    Server-side Session Cache Timeout 3600 seconds
    Server-side Session Cache Size 100

    Under Xml-firewall HTTP Options:

    HTTP Timeout 1800 seconds
    HTTP Persistent Timeout 1800 seconds
    HTTP Persistent Connections on

    Under XML Manager:
    XSL Cache size 256
    XML Parser:
    XMl Bytes scanned: 35000000

    Under User Agent:
    Timeout 1800

    Probably you need to know some more settings please let me know.
    Strange thing is when disabling the probe some more messages can be sent but als an SSL alert is raised.

    thx Eddie
    Eddie,

    Have you tried with setting persistent connections off?

    I'm not sure if you're running into the same situation, but we encountered a somewhat similar problem awhile ago, where we had to set persistent connections off.

    I didn't work the problem at our place directly, but what I was told was that with persistent connections on, they were seeing connections close, but then the connections weren't being re-established after that. Setting persistent connections off apparently solved their problem, and they've "moved on", so I haven't been able to get anyone to try to setup a test configuration to try to replicate the original problem.

    Jim
  • inestlerode
    inestlerode
    166 Posts

    Re: SSL Alerts causing timeouts on XS40

    ‏2009-03-12T17:16:56Z  
    I think the causality here is mixed up. SSL sends alerts to indicate connection closure (like TCP FIN), so it is likely that the alerts are neither an error nor the cause of the problem here. It probably just means that whatever is on top of SSL (HTTP in this case) has decided to close the connection.

    I think the HTTP server has leeway on when to close a persistent connection (it may do this periodically to recycle resources regardless of timeout settings). It doesn't necessarily indicate any kind of error. I'm guessing you could see similar behavior with clear text HTTP (if you keep the HTTP settings the same and just turn off SSL).
  • steadye
    steadye
    53 Posts

    Re: SSL Alerts causing timeouts on XS40

    ‏2009-03-13T14:02:45Z  
    Eddie,

    Have you tried with setting persistent connections off?

    I'm not sure if you're running into the same situation, but we encountered a somewhat similar problem awhile ago, where we had to set persistent connections off.

    I didn't work the problem at our place directly, but what I was told was that with persistent connections on, they were seeing connections close, but then the connections weren't being re-established after that. Setting persistent connections off apparently solved their problem, and they've "moved on", so I haven't been able to get anyone to try to setup a test configuration to try to replicate the original problem.

    Jim
    Hello Jim,

    I switched of persistent connections but it makes it even worser. Now after two requests the connection is broken.

    I now have the cleint software so i will test with it locally what is going wrong.
  • steadye
    steadye
    53 Posts

    Re: SSL Alerts causing timeouts on XS40

    ‏2009-03-13T14:06:29Z  
    I think the causality here is mixed up. SSL sends alerts to indicate connection closure (like TCP FIN), so it is likely that the alerts are neither an error nor the cause of the problem here. It probably just means that whatever is on top of SSL (HTTP in this case) has decided to close the connection.

    I think the HTTP server has leeway on when to close a persistent connection (it may do this periodically to recycle resources regardless of timeout settings). It doesn't necessarily indicate any kind of error. I'm guessing you could see similar behavior with clear text HTTP (if you keep the HTTP settings the same and just turn off SSL).
    The strange thing is that about 95 % of our connecting clients (about 3000) works with no problem.

    Only in combination with a couple of specific clients using the same software we see this behaviour.
    It should be a combination between the SSL stack and configuration of the XS40 and the client software.

    before migrating to the xs40 the smae client software worked perfect with our infrastructure.