Environment
Novell Access Manager 3.1
Novell Access Manager 3.1 Linux Access Gateway Appliance (LAG)
Microsoft Windows 2008 R2 Enterprise Edition
Microsoft Internet Information Server (IIS) 7.x
Proxy service configured to use SSL between the LAG and the back-end web server
Novell Access Manager 3.1 Linux Access Gateway Appliance (LAG)
Microsoft Windows 2008 R2 Enterprise Edition
Microsoft Internet Information Server (IIS) 7.x
Proxy service configured to use SSL between the LAG and the back-end web server
Situation
Purpose:
Configuring Novell Access Manager to protect an application running on Microsoft IIS 7.x and to use SSL between the LAG and the back-end web server.
Symptoms:
Upload of "large" files to the IIS server will fail. The maximum size of a successful upload is variable based on the network configuration, however, test performed in lab environment where all the involved servers were located in the same subnet, shown that files bigger than 8 MB always fails to upload properly.
Analysing a LAN trace of the communication occurring between the LAG and the back-end web server, was observed that during the upload process the receiving TCP Windows size suddenly start to decrease till it reach the "0" (zero) size and never recovers, ending with a TCP Reset received from the ISS server.
Please note that this behavior is specific to the described scenario, upload via SSL from the LAG to IIS 7.x.
If the same operation is performed via HTTP instead via HTTPS, no problems are observed; also the issue is not present using IIS 6 in the same scenario.
Configuring Novell Access Manager to protect an application running on Microsoft IIS 7.x and to use SSL between the LAG and the back-end web server.
Symptoms:
Upload of "large" files to the IIS server will fail. The maximum size of a successful upload is variable based on the network configuration, however, test performed in lab environment where all the involved servers were located in the same subnet, shown that files bigger than 8 MB always fails to upload properly.
Analysing a LAN trace of the communication occurring between the LAG and the back-end web server, was observed that during the upload process the receiving TCP Windows size suddenly start to decrease till it reach the "0" (zero) size and never recovers, ending with a TCP Reset received from the ISS server.
Please note that this behavior is specific to the described scenario, upload via SSL from the LAG to IIS 7.x.
If the same operation is performed via HTTP instead via HTTPS, no problems are observed; also the issue is not present using IIS 6 in the same scenario.
Resolution
Apply Microsoft Hotfix KB 2634328. The problem that was resolved with KB 2634328 occurs when SSL connections are sending data over SSL and is using a block cipher encryption algorithm. When this occurs HTTP.SYS does not correctly account for data associated with the zero length padding messages used by certain CBC implementations. Once a buffer maximum is reached HTTP.SYS stops accepting data on the connection.
This is what lead to ZERO Window condition visible in the LAN traces.