Let us share our KNOWLEDGE and grow TOGETHER

Thursday, June 27, 2013

SSL Optimization Issue - in Steelhead



We encountered a problem with HTTPs optimization after replacing the existing appliance. We installed the SSL license on the appliance. We trusted the certificates in both server side and client side appliances – it was listed under Self signed peer gray list. Still the optimized connections were having “protocol error” - ssl handshake between the client and server side appliances were failed. We could see below logs.

May 28 15:53:00 COGINKOLBANRVBS1 sport[1884]: [io/outer/prod.ERR] 2395632 {10.243.171.105:52695 10.242.29.27:7884} Err while reading: Connection timed out

May 28 15:53:01 COGINKOLBANRVBS1 sport[1884]: [sslinnerchan/client.WARN] 3367929 {10.236.145.63:42635 10.242.237.31:443} SSL inner channel with the server-side steelhead at IP: 10.242.31.173 cannot be established because the ssl handshake with the server-side steelhead probably failed very recently

May 28 15:53:01 COGINKOLBANRVBS1 sport[1884]: [sslinnerchan/client.WARN] 3367929 {10.236.145.63:42635 10.242.237.31:443} - most likely due to a misconfiguration of trust between the steelheads.

May 28 15:53:01 COGINKOLBANRVBS1 sport[1884]: [sslinnerchan/bypass_table.WARN] - {- -} Temporarily disabling interception of traffic for 10.242.237.31:443 - Misconfiguration of inner SSL security between client-side and server-side Steelhead appliances

We had seen similar issues at the initial deployment times and we used to remove the certificates and trust the same again (when it pops under gray list). But this doesn’t help this time. We also restarted the services – still issue remains.

Finally we added peer appliance certificate “PEM file” under the “peering trust” manually in both appliances and SSL optimization started working immediately

1 comment:

Note: Only a member of this blog may post a comment.