Print View

SSL handshake from client failed - every 5 seconds in Secure Gateway event log

Issue

The following error appears in the event log every five seconds:

Source: Secure Gateway
Category: SCHANNEL
Event ID: 125
Description: SSL handshake from client failed

This is caused by a Cisco Content Services Switch keepalive parameter checking to ensure the host is still live. This occurs with either an SSL keepalive or a TCP keepalive on port 443.

Resolution

To avoid logging this traffic:

Method 1:
Run the Secure Gateway Configuration Wizard from Start | Programs | Citrix | Administration Tools

- Click OK
- Select the Advanced radio button and click OK
- Click Next until the Logging exclusions dialogue appears: "Certain devices, such as load balancers, can generate unnecessary log entries"
- Click Add to "Specify the device(s) to exclude from logging"
- Enter the IP address if the device
- Click Next until the last dialogue
- Click Finish

Method 2:
To edit the underlying configuration files to achieve the same result or exclude a subnet:

Edit "C:\Program Files\Citrix\Secure Gateway\conf\httpd.conf" and add the following lines directly above the "# Do not log GIF's & requests from localhost" comment:

# Dont Log Cisco CSS Healthcheck
SetEnvIf Remote_Addr ^172.16.1.1$ nolog

Where 172.16.1.1 is the IP address the Cisco CSS is sending as a source address. Be aware that this may be different than the IP the Cisco CSS is receiving traffic on.

To avoid logging a whole subnet:

# Dont Log Cisco CSS Healthcheck
SetEnvIf Remote_Addr ^172.16.1. nolog

will not log traffic from the 172.16.1.X subnet.

Run the Secure Gateway Configuration Wizard and click Restart to accept and activate the changes, then click Cancel and click Yes to quit the Wizard.

Important Note:

Advanced load balancing is required on the Cisco Content Services Switch to properly allocate traffic to Secure Gateway. Without this users may login successfully, only to be presented with a logged out message, as the have been switched to a different Secure Gateway mid session and do not have a valid session on the Secure Gateway. Source IP stickyness is known to work with Secure Gateway, and configured on the Cisco Content Services Switch with the following command:

advance-balance sticky-srcip

References

Cisco Content Services Switch Basic Configuration Guide
http://theether.net/download/Cisco/ccmigration_09186a0080117623.pdf

Secure Gateway 3.0 Configuration File - httpd.conf
http://support.citrix.com/kb/article/CTX107581

keepalive type ssl - SSL HELLO keepalives for this service. Use this keepalive for all backend services supporting SSL. The CSS sends a client HELLO to connect the SSL server. After the CSS receives a HELLO from the server, the CSS closes the connection with a TCP RST.

keepalive type tcp - A TCP session that determines service viability (3-way handshake and reset (RST)). By default and in compliance with RFC 1122, the CSS sends a RST to close the socket on a server port for TCP keepalives. A RST is faster than a FIN, because a RST requires only one packet, while a FIN can take up to four packets. If your servers require a graceful closing of a socket using a FIN, you can use a script keepalive.

Use the advanced-balance command to specify an advanced load-balancing method for a content rule that includes stickiness. A content rule is “sticky” when additional sessions from the same user or client are sent to the same service as the first connection, overriding normal load balancing. By default, the advanced balancing method is disabled.

Configure Logging Exclusions
Typically, third-party network devices such as load balancers generate extraneous Secure Gateway log information. For example, load balancers may poll the Secure Gateway repeatedly to ensure that the server is active. Each poll is recorded by the Secure Gateway as a connection, resulting in the event log containing several unnecessary entries.

Note: The Secure Gateway and the Secure Gateway Proxy generate their own log files. Therefore, if you deployed the Secure Gateway in proxy mode, you must configure each component’s logging exclusions separately.

Ripped off by Citrix: http://support.citrix.com/article/CTX112998

Products

Citrix Secure Gateway 3.0
Cisco Content Services Switch (any)

Created: 21st July 2006
Updated: 20th February 2008

Print View

© 2005-2024 Jamie Morrison