Forum Discussion

Matt_Pitts_6390's avatar
Matt_Pitts_6390
Icon for Nimbostratus rankNimbostratus
Aug 04, 2014

Is there a way to clear SSL session ID caches?

We regularly get asked to capture network traffic between an LTM and a pool member server and decrypt it for analysis. However, this can often take a long time in order to get a full SSL handshake to occur. Other than restarting pool members the only way I can think of forcing a full exchange would be to clear the SSL session ID cache on the LTM. I've not found a way to do this, is it possible?

 

application delivery
LTM
management
security
ssl
TMOS

7 Replies

Sort By
  • Matt_Pitts_6390's avatar
    Matt_Pitts_6390
    Icon for Nimbostratus rankNimbostratus
    Aug 04, 2014
    FYI - Currently running 10.2.4 across most of the environment, will be moving to 11.4 shortly.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 05, 2014

    Other than restarting pool members the only way I can think of forcing a full exchange would be to clear the SSL session ID cache on the LTM. I've not found a way to do this, is it possible?

     

    i am not aware of method to clear ssl session id cache. anyway, can you change cache-size to 0 before troubleshooting?

     

    • Matt_Pitts_6390's avatar
      Matt_Pitts_6390
      Icon for Nimbostratus rankNimbostratus
      Aug 05, 2014
      Thank you for your response. That is one of the options I've looked into, but the one problem is that we are just using the default serverssl profile, so if we change that option, it changes it across all pools that use that profile.
    • shaggy's avatar
      shaggy
      Icon for Nimbostratus rankNimbostratus
      Aug 05, 2014
      you could create a custom server_ssl profile that you implement during troubleshooting, reducing the scope of impact to just the target VS
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Aug 05, 2014

    Other than restarting pool members the only way I can think of forcing a full exchange would be to clear the SSL session ID cache on the LTM. I've not found a way to do this, is it possible?

     

    i am not aware of method to clear ssl session id cache. anyway, can you change cache-size to 0 before troubleshooting?

     

    • Matt_Pitts_6390's avatar
      Matt_Pitts_6390
      Icon for Nimbostratus rankNimbostratus
      Aug 05, 2014
      Thank you for your response. That is one of the options I've looked into, but the one problem is that we are just using the default serverssl profile, so if we change that option, it changes it across all pools that use that profile.
    • shaggy's avatar
      shaggy
      Icon for Nimbostratus rankNimbostratus
      Aug 05, 2014
      you could create a custom server_ssl profile that you implement during troubleshooting, reducing the scope of impact to just the target VS