I have created an xml-firewall with an ssl proxy-profile with identification and validation credentials.
This works fine for 90% of our customers. Only some customers get strange timeouts after a fixed amounts of requests.
The customer sets up an SSL connection. And starts sending xml messages, after for example 53 messages they seem to get an ssl alert from the XS40 and the connection is disconnected.
When setup a new connection again, after exactly the same number of messages they get the same issue.
Another strange thing is when i disable the multistep probe they can sent 75 messages instead of 53 and then get the timeout. Also then connect again and again 75 messages can be sent.
It can be 75 messages in 5 minutes but also after 75 messages in 20 minutes they get the reset.
I can't simulate this with own software. Al our timeout settings are set to 1800 seconds so that should not be the problem. As mentioned only a couple of party's seem to have this problem on the same xml-firewall rule.
I don't have any idea anymore what this could cause... because a working ssl connection is made and messages can be sent. Other customer are sending for example 200 messages in 5 minutes without error...
Sw version 188.8.131.52
Re: SSL Alerts causing timeouts on XS402009-03-10T09:38:54ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
In the SSL Proxy profile:
Server-side Session Cache Timeout 3600 seconds
Server-side Session Cache Size 100
Under Xml-firewall HTTP Options:
HTTP Timeout 1800 seconds
HTTP Persistent Timeout 1800 seconds
HTTP Persistent Connections on
Under XML Manager:
XSL Cache size 256
XMl Bytes scanned: 35000000
Under User Agent:
Probably you need to know some more settings please let me know.
Strange thing is when disabling the probe some more messages can be sent but als an SSL alert is raised.
SystemAdmin 110000D4XK6772 Posts
Re: SSL Alerts causing timeouts on XS402009-03-12T06:42:17ZThis is the accepted answer. This is the accepted answer.
- steadye 0600024ABH
Have you tried with setting persistent connections off?
I'm not sure if you're running into the same situation, but we encountered a somewhat similar problem awhile ago, where we had to set persistent connections off.
I didn't work the problem at our place directly, but what I was told was that with persistent connections on, they were seeing connections close, but then the connections weren't being re-established after that. Setting persistent connections off apparently solved their problem, and they've "moved on", so I haven't been able to get anyone to try to setup a test configuration to try to replicate the original problem.
inestlerode 270001CUTT166 Posts
Re: SSL Alerts causing timeouts on XS402009-03-12T17:16:56ZThis is the accepted answer. This is the accepted answer.I think the causality here is mixed up. SSL sends alerts to indicate connection closure (like TCP FIN), so it is likely that the alerts are neither an error nor the cause of the problem here. It probably just means that whatever is on top of SSL (HTTP in this case) has decided to close the connection.
I think the HTTP server has leeway on when to close a persistent connection (it may do this periodically to recycle resources regardless of timeout settings). It doesn't necessarily indicate any kind of error. I'm guessing you could see similar behavior with clear text HTTP (if you keep the HTTP settings the same and just turn off SSL).
Re: SSL Alerts causing timeouts on XS402009-03-13T14:02:45ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
I switched of persistent connections but it makes it even worser. Now after two requests the connection is broken.
I now have the cleint software so i will test with it locally what is going wrong.
Re: SSL Alerts causing timeouts on XS402009-03-13T14:06:29ZThis is the accepted answer. This is the accepted answer.
- inestlerode 270001CUTT
Only in combination with a couple of specific clients using the same software we see this behaviour.
It should be a combination between the SSL stack and configuration of the XS40 and the client software.
before migrating to the xs40 the smae client software worked perfect with our infrastructure.