OneConnect, SSL Bridging and Apache2 server

Question

Hi,&nbsp;
I am using config as in subject. Everything works OK, Idle TCP connections are reused. Only problem is that Apache2 server is closing TCP connection with SSL session after 20s when no traffic is reaching server.&nbsp;
That is not related to Keep-Alive settings on BIG-IP or Apache2 server, the same settings are used for HTTP traffic and all timeouts on BIG-IP or server are respected, idle connection is closed after 298s (Keep-Alive Timeout set on Apache2 server). Verified by trace - server is sending FIN-ACK to BIG-IP.&nbsp;
So it seems that there is some SSL related timeout used by Apache2 - problem is I can't find any info how to change it - any help appreciated.&nbsp;
Piotr&nbsp;

jg · Answer

Check the setting of SSLSessionCacheTimeou in your Apache server.
"This directive sets the timeout in seconds for the information stored in the global/inter-process SSL Session Cache, the OpenSSL internal memory cache and for sessions resumed by TLS session resumption (RFC5077)."

dragonflymr · Answer

Hi,
I was looking before at this setting but according to info from Apache Module mod_ssl:
Default:SSLSessionCacheTimeout 300
So without changing it should not force connection close after 20 s
Indeed it was not the cause. When looking in the Apache logs I spotted this entries:
[client 10.129.10.3:2944] AH01382: Request header read timeout
[client 10.129.10.3:2944] AH01991: SSL input filter read failed.
[client 10.129.10.3:2944] AH02001: Connection closed to child 3 with standard shutdown (server lamp4-110.test.com:443)

After some research it seems that there is a bug in version I am using (2.4.7-1ubuntu4.13) described here bug.
So it turned out that I had to set this entry in my Virtual Host config:
RequestReadTimeout header=300 to override default value from global config RequestReadTimeout header=20-40,minrate=500
Sure not production solution but at least it fixed issue for my testing site.
Piotr

jg · Answer

mod_reqtimeout is not a core module, and I wouldn't have it enabled at all since the httpd server sits behind F5.&nbsp;

dragonflymr · Answer

Hi,&nbsp;
I am far from Apache guru :-(, just had it enabled on my test system. I guess it should work OK with F5 after fixing bugs (as in mentioned link) but if you say it should not be used with F5 I will try to disable it and see if it will fix an issue.&nbsp;
I noticed another strange situation caused by this mod (this time for HTTP traffic):&nbsp;
Send single request to server - connection will be closed according to server KeepAlive TimeoutSend multiple requests to the same server - again 20s issue is here
No idea why :-(&nbsp;
Piotr&nbsp;

Forum Discussion

OneConnect, SSL Bridging and Apache2 server

4 Replies

Recent Discussions

BIG-IP DNS iRule issue with static variable

Using okta as SSO to login F5 GUI

(How) can I get two client certificates in one APM session?

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Disk space full - what files, folders are safe to delete?

Related Content

SSL Bridging verification

Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)

How OneConnect Profile works with Cookie Persistence

Lightboard Lessons: OneConnect

What is HTTP Part VII - OneConnect