Re: [fw-wiz] Broken pipe on SSL connections

From: Ng Pheng Siong (ngps_at_netmemetic.com)
Date: 01/26/04

  • Next message: DCSIM Subscriptions (IA): "[fw-wiz] Multiple world connections into PIX"
    To: "Ludolph, Michel" <Michel.Ludolph@atosorigin.com>
    Date: Mon, 26 Jan 2004 11:16:33 +0800
    
    

    On Fri, Jan 23, 2004 at 09:30:05PM +0100, Ludolph, Michel wrote:
    > We establish SSL-connections from a browser (IE) via a Cisco Content
    > Switch to an SSL-accelerator. In between the browser and the Content
    > Switch there is a Firewall with NAT enabled. Under high load (many users
    > connecting simultaneously) we get a lot of Broken Pipe errors on client
    > site, which indicates that the TCP/IP connection is unexpectedly closed.

    SSL is carried over TCP, so ordinarily NAT shouldn't interfere with it.

    Get the excellent ssldump to watch the SSL traffic, if possible from both
    ends.

    (Some versions of) MSIE reportedly do not shut SSL connections down
    cleanly. Check to see if your SSL accelerator handles this.

    Also, if your Cisco Content Switch load-balances SSL connections to more
    than one SSL accelerator, then things can get real fun!

    Cheers.

    -- 
    Ng Pheng Siong <ngps@netmemetic.com> 
    http://firewall.rulemaker.net -+- Firewall Change Management & Version Control
    http://sandbox.rulemaker.net/ngps -+- Open Source Python Crypto & SSL
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: DCSIM Subscriptions (IA): "[fw-wiz] Multiple world connections into PIX"

    Relevant Pages