We encountered a problem with HTTPs optimization after
replacing the existing appliance. We installed the SSL license on the
appliance. We trusted the certificates in both server side and client side
appliances – it was listed under Self signed peer gray list. Still the
optimized connections were having “protocol error” - ssl handshake between the
client and server side appliances were failed. We could see below logs.
May 28 15:53:00 COGINKOLBANRVBS1 sport[1884]:
[io/outer/prod.ERR] 2395632 {10.243.171.105:52695 10.242.29.27:7884} Err while
reading: Connection timed out
May 28 15:53:01 COGINKOLBANRVBS1 sport[1884]:
[sslinnerchan/client.WARN] 3367929 {10.236.145.63:42635 10.242.237.31:443} SSL
inner channel with the server-side steelhead at IP: 10.242.31.173 cannot be
established because the ssl handshake with the server-side steelhead probably
failed very recently
May 28 15:53:01 COGINKOLBANRVBS1 sport[1884]:
[sslinnerchan/client.WARN] 3367929 {10.236.145.63:42635 10.242.237.31:443} -
most likely due to a misconfiguration of trust between the steelheads.
May 28 15:53:01 COGINKOLBANRVBS1 sport[1884]:
[sslinnerchan/bypass_table.WARN] - {- -} Temporarily disabling interception of
traffic for 10.242.237.31:443 - Misconfiguration of inner SSL security between
client-side and server-side Steelhead appliances
We had seen similar issues at the initial deployment times
and we used to remove the certificates and trust the same again (when it pops
under gray list). But this doesn’t help this time. We also restarted the
services – still issue remains.
Finally we added peer appliance certificate “PEM file”
under the “peering trust” manually in both appliances and SSL optimization
started working immediately
This comment has been removed by the author.
ReplyDelete