Https timeouts

  • Hi

    I am getting page timeouts on https browsing this only becomes apparent when several people are accessing the same site at the same time. Traffic isn't very high, of the order of 40-60kbs max (according to manageengine and pfflowd), but the sessions are failing. users are using IE7 and since the secure session is lost, this is causing absolute chaos as these are exams, and a 5 minute wait is required before the exam can be recovered.

    I had set up pfsense to load balance the two connections I have in this office, but have since removed that facility. Turning on or off squid makes no difference, nor does traffic shaping, and I've set Firewall Optimization Options to conservative but no dice.

    I've ordered some intel server network cards in case the realtek and intel nics (optiplex 170l) driver instability might be contributing to this as well.

    I'll be testing this further using just the basic BT business router and IPcop to determine if pfsense or ISP is associated with this problem but has anyone seen anything like this themselves or got any suggestions?

  • When you are using multiwan make sure all traffic with a destination port of 443 doesnt get loadbalanced, but failovered.

    Secured sessions dont like it if the source IP changes.

  • yes i made sure of that from the start, in fact not even failovered since only one external IP was authorised, and when later i removed the second connection and turned off all the loadbalancing settings pretty much confirmed that that wasn't the source of the problem.

    I have also upgraded this box was previously using a 1ghz compaq box but that occasionally had 60% cpu usage in the RRD logs, so i thought that might have caused it, unfortunately not!

  • Could it be that sticky connections (System -> Advanced ) is ticked?

  • I read that that was a bit too bleeding edge so didn't tick it in the first place…

  • Having used a vanilla pfsense box with seperate ADSL connection (draytek vigor 110 supplying pppoe), I continued to have exactly the same problem.

    so no multiwan, or traffic balancing, or transparent proxy server issues (i'd spent a lot of time trying to troubleshoot this by scaling back the features i wanted to use).

    Incidentally the tech in the government department who supply the test did say that they had problems with ISPs who used transparent proxies.

    The solution was to use IPCOP instead - unfortunately i was completely unable to get this working with pfsense but a vanilla ipcop installation did the job fine. Which was nice in one way since i've been using ipcop for a good 5 years and found it to be excellent.

    I will continue to use pfsense, as i consider it superior in many ways, in terms of the packages and reporting, and clearly it is actively being developed whereas ipcop seems to be taking a rest at the moment. But i can't use it as my sole solution, at least where these government tests are concerned.

Log in to reply