Re: [fw-wiz] Broken pipe on SSL connections
From: Ng Pheng Siong (ngps_at_netmemetic.com)
To: "Ludolph, Michel" <Michel.Ludolph@atosorigin.com> Date: Mon, 26 Jan 2004 11:16:33 +0800
On Fri, Jan 23, 2004 at 09:30:05PM +0100, Ludolph, Michel wrote:
> We establish SSL-connections from a browser (IE) via a Cisco Content
> Switch to an SSL-accelerator. In between the browser and the Content
> Switch there is a Firewall with NAT enabled. Under high load (many users
> connecting simultaneously) we get a lot of Broken Pipe errors on client
> site, which indicates that the TCP/IP connection is unexpectedly closed.
SSL is carried over TCP, so ordinarily NAT shouldn't interfere with it.
Get the excellent ssldump to watch the SSL traffic, if possible from both
(Some versions of) MSIE reportedly do not shut SSL connections down
cleanly. Check to see if your SSL accelerator handles this.
Also, if your Cisco Content Switch load-balances SSL connections to more
than one SSL accelerator, then things can get real fun!
-- Ng Pheng Siong <firstname.lastname@example.org> http://firewall.rulemaker.net -+- Firewall Change Management & Version Control http://sandbox.rulemaker.net/ngps -+- Open Source Python Crypto & SSL _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards