Could not establish secure channel for SSL/TLS

[Eddie]

Hi,

Our company is facing a problem with an asp.net client connecting to a
web service. Basically we front-end it by a Cisco Content Smart Switch
load balancer which has a SonicWall attached to it to do hardware SSL.
The caller is in the same subnet/dmz as the webservice, but due to
business reasons we need it front ended by this hardware.

For about 99% of our transactions they are sucessful. The problem is
the last 1%. On these 1% of failures, the error message we get is:

"The underlying connection was closed: Could not establish secure
channel for SSL/TLS."

We've already brought this issue to Cisco, and they seem to have found
some strange connection reset problems. Cisco issued us a patch and
we've deployed them to our production environment, however the problem
still persists. I noticed that there are several people with the same
error string of "The underlying connection etc etc". I don't think
it's a certificate installation problem, as the web service works 99%
of the time.

The servers are currently running .net 1.1 sp1. I also confirmed that
the problem exists using .net 1.1, and .net 1.0sp2. They run Windows
2000 AS.

Is there any possible problems with the framework where if a
connection is reset by another device in the network that the
framework tries to use the previous connection it "knows" about,
rather than re-establish a new ssl connection? Once the problem
occurs, the subsequent request for the webservice is sucessful, and
then intermittently the problem occurs again.

Also, could there be a timeout where the established connection closes
on the client, and the framework wants to use the stale connection, at
that point giving the error message?


firewall
|
css css-+-+-sonicwall (Hardware SSL)
| / |
----- / -----
| | / | |
m m / w w
y y /|\ e e
s s / b b
e e /ssl s s
r r e e
v v r r
e e v v
r r i i
1 2 c c
e e

oversimplified diagram.... in this scenario the servers are in the
same dmz/subnet, but we do have clients connecting to the web service
from other dmzs.

Anybody else facing the same problem? Any fix?

 

[Eddie]

I still suspect a problem with the client side calling the
webservice-- It looks like the ASP.Net client wants to use a stale
connection.

I built a little script which could hammer the webserice and log all
netstats using port 443. Immediately AFTER the SSL/TLS error occurs,
the old connection goes away and I see a newly established SSL
connection to the CSS load balancer.

For some reason, I suspect the framework wants to use a connection
which has been reset or closed from the other end point or device, so
it can't establish the secure channel that it was previously using.

Again, this problem is intermittent- 99% of the time it works with
SSL, but the odd instance where we lose a transaction (and basically
lose money).

Can someone from the microsoft team look into this? I highly suspect
this is the scenario:
1) ssl connection established and talking (ie. everything looks
good)
2) some network issue causes the connection to reset.
3) connection is reset on the css load balancer
4) connection is NOT reset on the aspnet client
5) aspnet client wants to use the zombied connection
6) Aspnet client errors with "Could not establish secure channel
for SSL/TLS" because the connection it was trying to use a dead
connection to the load balancer.
7) Next call to the webservice re-establishes a new SSL connection

The trick is to verify that on a network connection reset, does the
aspnet client actually know not to use the dead connection. Someone
from Microsoft... please help!!!!

Thanks,
Eddie

 

[Dan Rogers]

Hi Eddie,

This sounds like a known stale connection issue related to keep-alives in
the client side proxy. Try disabling keep-alives in the generated client
side proxy and let me know if that doesn't help.

Regards

Dan Rogers
Microsoft Corporation
--------------------

 

[Apparao]

Hi Eddie,

I have the same problem? Did you find a solution for this?

I disabled the "Keep-Alives" property in the "Default Web Site Properties"
and I still get 1% of my request with the error mentioned.

please let me know if you have a solution for this.

Thanks,
Apparao