Novell Home

My Favorites

Close

Please to see your favorites.

Unable to upload large files to IIS 7.x back-end web server protected with Novell Access Manager

This document (7008505) is provided subject to the disclaimer at the end of this document.

Environment

Novell Access Manager 3.1
Novell Access Manager 3.1 Linux Access Gateway Appliance (LAG)
Microsoft Windows 2008 R2 Enterprise Edition
Microsoft Internet Information Server (IIS) 7.x
Proxy service configured to use SSL between the LAG and the back-end web server

Situation

Purpose:

Configuring Novell Access Manager to protect an application running on Microsoft IIS 7.x and to use SSL between the LAG and the back-end web server.

Symptoms:

Upload of "large" files to the IIS server will fail. The maximum size of a successful upload is variable based on the network configuration, however, test performed in lab environment where all the involved servers were located in the same subnet, shown that files bigger than 8 MB always fails to upload properly.

Analysing a LAN trace of the communication occurring between the LAG and the back-end web server, was observed that during the upload process the receiving TCP Windows size suddenly start to decrease till it reach the "0" (zero) size and never recovers, ending with a TCP Reset received from the ISS server.

Please note that this behavior is specific to the described scenario, upload via SSL from the LAG to IIS 7.x.

If the same operation is performed via HTTP instead via HTTPS, no problems are observed; also the issue is not present using IIS 6 in the same scenario.


Resolution

Apply Microsoft Hotfix KB 2634328. The problem that was resolved with KB 2634328 occurs when SSL connections are sending data over SSL and is using a block cipher encryption algorithm. When this occurs  HTTP.SYS does not correctly account for data associated with the zero length padding messages used by certain CBC implementations. Once a buffer maximum is reached HTTP.SYS stops accepting data on the connection.

This is what lead to ZERO Window condition visible in the LAN traces.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7008505
  • Creation Date:03-MAY-11
  • Modified Date:07-JUN-13
    • NetIQAccess Manager (NAM)

Did this document solve your problem? Provide Feedback