Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
May 23, 2017

OneConnect, SSL Bridging and Apache2 server

Hi,

 

I am using config as in subject. Everything works OK, Idle TCP connections are reused. Only problem is that Apache2 server is closing TCP connection with SSL session after 20s when no traffic is reaching server.

 

That is not related to Keep-Alive settings on BIG-IP or Apache2 server, the same settings are used for HTTP traffic and all timeouts on BIG-IP or server are respected, idle connection is closed after 298s (Keep-Alive Timeout set on Apache2 server). Verified by trace - server is sending FIN-ACK to BIG-IP.

 

So it seems that there is some SSL related timeout used by Apache2 - problem is I can't find any info how to change it - any help appreciated.

 

Piotr

 

apache2
application delivery
BIG-IP
devops
LTM
oneconnect
ssl bridging
ssl idle timeout
  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    May 24, 2017

    Check the setting of SSLSessionCacheTimeou in your Apache server.

    "This directive sets the timeout in seconds for the information stored in the global/inter-process SSL Session Cache, the OpenSSL internal memory cache and for sessions resumed by TLS session resumption (RFC5077)."

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    May 24, 2017

    Hi,

    I was looking before at this setting but according to info from Apache Module mod_ssl:

    Default:SSLSessionCacheTimeout 300

    So without changing it should not force connection close after 20 s

    Indeed it was not the cause. When looking in the Apache logs I spotted this entries:

    [client 10.129.10.3:2944] AH01382: Request header read timeout
[client 10.129.10.3:2944] AH01991: SSL input filter read failed.
[client 10.129.10.3:2944] AH02001: Connection closed to child 3 with standard shutdown (server lamp4-110.test.com:443)

    After some research it seems that there is a bug in version I am using (2.4.7-1ubuntu4.13) described here bug.

    So it turned out that I had to set this entry in my Virtual Host config:

    RequestReadTimeout header=300 to override default value from global config RequestReadTimeout header=20-40,minrate=500

    Sure not production solution but at least it fixed issue for my testing site.

    Piotr

    • JG's avatar
      JG
      Icon for Cumulonimbus rankCumulonimbus
      May 25, 2017

      mod_reqtimeout is not a core module, and I wouldn't have it enabled at all since the httpd server sits behind F5.

       

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      May 25, 2017

      Hi,

       

      I am far from Apache guru :-(, just had it enabled on my test system. I guess it should work OK with F5 after fixing bugs (as in mentioned link) but if you say it should not be used with F5 I will try to disable it and see if it will fix an issue.

       

      I noticed another strange situation caused by this mod (this time for HTTP traffic):

       

      • Send single request to server - connection will be closed according to server KeepAlive Timeout
      • Send multiple requests to the same server - again 20s issue is here

      No idea why :-(

       

      Piotr