fusi0n Posted March 2, 2015 Share Posted March 2, 2015 I am having issues with a Sonicwall kicking out some SSL connections. Connects like to facebook and twitter, work fine.. However, some banks and another site, will login, then say "session timed out". I am not filtering any HTTPS traffic. Any help or direction would be amazing.. Thanks! Link to comment Share on other sites More sharing options...
+BudMan MVC Posted March 2, 2015 MVC Share Posted March 2, 2015 And you sure its just not a session time out, banks normally have very low session times, have seen as low as minute. Link to comment Share on other sites More sharing options...
Zinomian Posted March 2, 2015 Share Posted March 2, 2015 Are you doing load balancing? Link to comment Share on other sites More sharing options...
fusi0n Posted March 2, 2015 Author Share Posted March 2, 2015 And you sure its just not a session time out, banks normally have very low session times, have seen as low as minute. This is happening on multiple computers, including mine. I've seen many different places in the sonicwall for HTTPS session limit and it is set to 15 minutes, the UDP is set to 30 seconds, but it doesn't like when you change it.. I can try to manually add these rules.. Are you doing load balancing? I am doing load balancing.. I have tried turning off one circuit, but the same problem is still there.. Link to comment Share on other sites More sharing options...
remixedcat Posted March 2, 2015 Share Posted March 2, 2015 does your firewall also have a WAN accleration cache? Link to comment Share on other sites More sharing options...
fusi0n Posted March 2, 2015 Author Share Posted March 2, 2015 Are you doing load balancing? I have the Sonicwall in a Round Robin with the two DSL Circuits.. I took out one of the circuits, and it works find.. Now I need to figure out how to do LB without breaking SSL.. Also, thanks. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted March 2, 2015 MVC Share Posted March 2, 2015 Who said it was your timeout? We have login's to firewalls that timeout in 60 seconds if you don't do anything for example. Banks are not going to be one to leave your session open for 30 minutes if don't do anything etc.. That is a huge security issue. Yes have seen were users complain, complain to the bank, etc. not the firewall settings. Link to comment Share on other sites More sharing options...
fusi0n Posted March 2, 2015 Author Share Posted March 2, 2015 Who said it was your timeout? We have login's to firewalls that timeout in 60 seconds if you don't do anything for example. Banks are not going to be one to leave your session open for 30 minutes if don't do anything etc.. That is a huge security issue. Yes have seen were users complain, complain to the bank, etc. not the firewall settings. No one said it was for sure a timeout issue.. The users would just login and be instantly kicked out saying "session timed out".. Taking that circuit out of the LB, seems to fix the issue, but now half my bandwith is gone.. Link to comment Share on other sites More sharing options...
Haggis Veteran Posted March 2, 2015 Veteran Share Posted March 2, 2015 have a look here https://supportforums.cisco.com/discussion/11433521/load-balancing-effect-sshhttps-connections Link to comment Share on other sites More sharing options...
sc302 Veteran Posted March 2, 2015 Veteran Share Posted March 2, 2015 this may help http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_27936885.html Link to comment Share on other sites More sharing options...
Zinomian Posted March 2, 2015 Share Posted March 2, 2015 this may help http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_27936885.html You cant use Experts-exchange.com for answers, since that is a paid website and you cant see the answer or entire thread with info. Round robin shouldnt break website time-outs, only the ratio base LB would. Any security services enabled? if so, disabled them for a short while and test. Any other odd changes you may have made lately? firmware update? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted March 2, 2015 Veteran Share Posted March 2, 2015 I have an account the best way I know how is to force https traffic through one connection. The regular traffic gets balanced nicely. According to this:http://help.mysonicwall.com/sw/eng/305/ui2/23100/Network/WAN_Failover_Load_Balancing.htm percentage based load balancing is the one that has "Source and Destination IP Addresses Binding" the link above shares the available options... But thought just like to reiterate under default probe monitor, Sonicwall performs an ICMP probe of both WAN ports' default gateways. this is not an assured means of link monitor as service interruption may be occuring upstream. E.g. If ISP is experiencing problem in its routing infra, a successful ping can cause false impression that the line is usable. So for reliable link monitor (as suggested in the link) for each WAN port choose two targets, TCP is preferred since ICMP may drop or block it. E.g. > set first probe target of ISP routerusing ICMP (assume they allow) > set secondary probe target DNS server on public internet using TCP Port 53 As for session persistency, I couldnt see any real persistency as it is still based on which is the most available and rate limited the path according using the percentage based link assignment. There is also more on Bandwidth mgmt which is another big topic using GWM with its link credit token to prioritise the usage of over bandwidth for certain services like FTP, H323, VNC etc. If you need to go further than this into considering cost link factor, you would want to explore real link load balancer such as radware linkproof or F5 link loadbalancer. Another which you stated on metric, I see it as exploring into dynamic route recalculation based on interface availability. This is to better support redundant or multiple path adv routing configuration. That is another big topic to be familiar with OSPF, RIP etc. Actually Sonicwall also support Policy Based Routing (PBR) which can have two policy-based routes that force all sources from the LAN subnet to always go out the primary WAN when using any HTTP-based application, and forces all sources from the LAN subnet to always go out the backup WAN when using any Telnet-based application.http://help.mysonicwall.com/sw/eng/305/ui2/23100/Network/Routing.htm Not really an expert in these area but I will say the guide does help to kickstart ... I've set up the Sonicwall with Ratio based Load balance algo as per the above's solution and could remove all static routes while still being able to connect to https sites on all uplinks. I did check the "Source and Destination IP Addresses Binding" that becomes available when choosing Ratio based load balance. Thanks again for your time and expertise. fusi0n 1 Share Link to comment Share on other sites More sharing options...
Recommended Posts