02-19-2014 04:50 AM
Upon access (https) of CDN provider´s caching servers on the internet to our real servers via ADX, sessions are reported by them to get idle-terminated too early (after approx. 2 minutes) due to too late response of our real servers (sometimes they take longer than 2 mins.). According to their experiences, PCON value of all session-terminating devices in that path should be set to around 300 secs.
1.) For verification of provider´s assumption: Is it possible to configure logging of connections/sessions on a level of detail providing start / end time, source / destination ip address, protocol infos and reason for closing/termination? As aforementioned, i need to figure out, if certain sessions/connections from outside to adx and from adx to real servers are terminated due to idle or other reasons.
2.) In case idle timeout for connections/session is too low, how can i increase it for this scenario: external https access to SLB virtual server ip on adx -> terminated there and forwarded via TCP port 81 to real servers.
Setup: Serveriron ADX 1016 12.4 routing / Config: SSL termination, SLB: Virtual server IP mapped to real server groups, source-nat of incoming external traffic to ip of interface towards real servers
02-21-2014 05:03 PM
If you want to verify that the sessions are getting aged due to inactivity, then what you can do is go on the BP console using rcon 1 <bp_num> command where bp_num can be 1, 2, 3or 4 and issue the command "show server debug". This command prints a bunch of counters one of them is Aged, if this counter in incrementing then session may be getting aged due to inactivity.
The default timeout for tcp session is 30 minutes if you have not changed it then sessions should timeout after 30 minutes of inactivity.
Here is an example of this command.
ServerIronADX 1000#rcon 1 1
ServerIronADX 10001/1#sho server debug | i Aged
Drops = 0 Aged = 0
02-24-2014 08:45 AM
thanks a lot for informations provided - tcp timeout is unchanged and therefore default.
Actually i am searching for a way to track aging out of certain sessions (src & dst ip,..), for which an overall counter does unfortunately not help too much. Target is to find out, if certain sessions have been terminated due to late response from real server(s) side or other reasons. Based on that info, troubleshooting might be narrowed down to real web servers, adx or CDN provider.
Since problem only occurs randomly, i need to rely on logs and have no chance to enable debugging.
Any idea on how to achieve that?
02-24-2014 11:04 AM
You can use session logging on your ADX to get the session information being sent to an external syslog server. You can enable this feature for a specific port or all the sessions. Here is the link to documentation of this feature. In the following link look for heading "Enabling TCP/UDP Session Logging"
If you are using layer7 Switching then I think its worth looking into Layer7 policy related counters also make sure that there is no Issue with the layer7 configuration.