bchick2_8645
Nov 06, 2011Nimbostratus
SSL Cache Timeout
This is my first time posting so I apologize if this isn't the best place for this. I'm trying to learn more details about the Cache Timeout settng in the SSL profile. We have an issue where it appears a users SSL session has expired on the Big IP even though they have continued to be active. Basically we log when an SSL session is created, what that SSL session ID is, the source IP, and a couple other things. An hour later (after the default cache timeout expires) and the user makes their next action a new SSL session is created at the Big IP. If we change the cache timeout setting to two hours the behavior occurs after two hours. Does this timeout not get extended with activity? Is there a way to make it be extended like most timeouts? I expected when I saw this value and it's default of one hour that the SSL session would expire after one hour of inactivity. This only causes a problem for us because we're associating a client cert with the SSL session ID (in the session table) and when the new SSL session is negotiated for some reason IE is not resending the client certificate and does not prompt the user to select one. Since it is associated with the old SSL session ID the user just gets redirected to our "client cert required" screen in the middle of an active session. As far as our back end app server is concerned it just didn't receive a client cert from Big IP so that is the default behavior (to redirect to that screen).
I can provide more details if necessary but I'm really just trying to understand the SSL cache timeout as that seems to be the key to resolving our issue. (In case you're wondering the timeout on the "session add" command that adds the cert to the session table is currently set to be longer than the cache timeout and it doesn't make a difference. Testing has indicated that timeout does get extended with activity (apparently) unlike the cache timeout).