Could not establish secure channel for SSL/TLS

Discussion in 'ASP .Net Web Services' started by Eddie, Oct 19, 2004.

  1. Eddie

    Eddie Guest

    Hi,

    Our company is facing a problem with an asp.net client connecting to a
    web service. Basically we front-end it by a Cisco Content Smart Switch
    load balancer which has a SonicWall attached to it to do hardware SSL.
    The caller is in the same subnet/dmz as the webservice, but due to
    business reasons we need it front ended by this hardware.

    For about 99% of our transactions they are sucessful. The problem is
    the last 1%. On these 1% of failures, the error message we get is:

    "The underlying connection was closed: Could not establish secure
    channel for SSL/TLS."

    We've already brought this issue to Cisco, and they seem to have found
    some strange connection reset problems. Cisco issued us a patch and
    we've deployed them to our production environment, however the problem
    still persists. I noticed that there are several people with the same
    error string of "The underlying connection etc etc". I don't think
    it's a certificate installation problem, as the web service works 99%
    of the time.

    The servers are currently running .net 1.1 sp1. I also confirmed that
    the problem exists using .net 1.1, and .net 1.0sp2. They run Windows
    2000 AS.

    Is there any possible problems with the framework where if a
    connection is reset by another device in the network that the
    framework tries to use the previous connection it "knows" about,
    rather than re-establish a new ssl connection? Once the problem
    occurs, the subsequent request for the webservice is sucessful, and
    then intermittently the problem occurs again.

    Also, could there be a timeout where the established connection closes
    on the client, and the framework wants to use the stale connection, at
    that point giving the error message?


    firewall
    |
    css css-+-+-sonicwall (Hardware SSL)
    | / |
    ----- / -----
    | | / | |
    m m / w w
    y y /|\ e e
    s s / b b
    e e /ssl s s
    r r e e
    v v r r
    e e v v
    r r i i
    1 2 c c
    e e

    oversimplified diagram.... in this scenario the servers are in the
    same dmz/subnet, but we do have clients connecting to the web service
    from other dmzs.

    Anybody else facing the same problem? Any fix?
     
    Eddie, Oct 19, 2004
    #1
    1. Advertising

  2. Eddie

    Eddie Guest

    I still suspect a problem with the client side calling the
    webservice-- It looks like the ASP.Net client wants to use a stale
    connection.

    I built a little script which could hammer the webserice and log all
    netstats using port 443. Immediately AFTER the SSL/TLS error occurs,
    the old connection goes away and I see a newly established SSL
    connection to the CSS load balancer.

    For some reason, I suspect the framework wants to use a connection
    which has been reset or closed from the other end point or device, so
    it can't establish the secure channel that it was previously using.

    Again, this problem is intermittent- 99% of the time it works with
    SSL, but the odd instance where we lose a transaction (and basically
    lose money).

    Can someone from the microsoft team look into this? I highly suspect
    this is the scenario:
    1) ssl connection established and talking (ie. everything looks
    good)
    2) some network issue causes the connection to reset.
    3) connection is reset on the css load balancer
    4) connection is NOT reset on the aspnet client
    5) aspnet client wants to use the zombied connection
    6) Aspnet client errors with "Could not establish secure channel
    for SSL/TLS" because the connection it was trying to use a dead
    connection to the load balancer.
    7) Next call to the webservice re-establishes a new SSL connection

    The trick is to verify that on a network connection reset, does the
    aspnet client actually know not to use the dead connection. Someone
    from Microsoft... please help!!!!

    Thanks,
    Eddie
     
    Eddie, Oct 20, 2004
    #2
    1. Advertising

  3. Eddie

    Dan Rogers Guest

    Hi Eddie,

    This sounds like a known stale connection issue related to keep-alives in
    the client side proxy. Try disabling keep-alives in the generated client
    side proxy and let me know if that doesn't help.

    Regards

    Dan Rogers
    Microsoft Corporation
    --------------------
    >From: (Eddie)
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
    >Subject: Re: Could not establish secure channel for SSL/TLS
    >Date: 19 Oct 2004 23:57:34 -0700
    >Organization: http://groups.google.com
    >Lines: 36
    >Message-ID: <>
    >References: <>
    >NNTP-Posting-Host: 24.0.210.10
    >Content-Type: text/plain; charset=ISO-8859-1
    >Content-Transfer-Encoding: 8bit
    >X-Trace: posting.google.com 1098255455 32597 127.0.0.1 (20 Oct 2004

    06:57:35 GMT)
    >X-Complaints-To:
    >NNTP-Posting-Date: Wed, 20 Oct 2004 06:57:35 +0000 (UTC)
    >Path:

    cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!news-out.cwi
    x.com!newsfeed.cwix.com!border1.nntp.dca.giganews.com!nntp.giganews.com!news
    glorb.com!postnews1.google.com!not-for-mail
    >Xref: cpmsftngxa10.phx.gbl

    microsoft.public.dotnet.framework.aspnet.webservices:26181
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
    >
    >I still suspect a problem with the client side calling the
    >webservice-- It looks like the ASP.Net client wants to use a stale
    >connection.
    >
    >I built a little script which could hammer the webserice and log all
    >netstats using port 443. Immediately AFTER the SSL/TLS error occurs,
    >the old connection goes away and I see a newly established SSL
    >connection to the CSS load balancer.
    >
    >For some reason, I suspect the framework wants to use a connection
    >which has been reset or closed from the other end point or device, so
    >it can't establish the secure channel that it was previously using.
    >
    >Again, this problem is intermittent- 99% of the time it works with
    >SSL, but the odd instance where we lose a transaction (and basically
    >lose money).
    >
    >Can someone from the microsoft team look into this? I highly suspect
    >this is the scenario:
    > 1) ssl connection established and talking (ie. everything looks
    >good)
    > 2) some network issue causes the connection to reset.
    > 3) connection is reset on the css load balancer
    > 4) connection is NOT reset on the aspnet client
    > 5) aspnet client wants to use the zombied connection
    > 6) Aspnet client errors with "Could not establish secure channel
    > for SSL/TLS" because the connection it was trying to use a dead
    > connection to the load balancer.
    > 7) Next call to the webservice re-establishes a new SSL connection
    >
    >The trick is to verify that on a network connection reset, does the
    >aspnet client actually know not to use the dead connection. Someone
    >from Microsoft... please help!!!!
    >
    >Thanks,
    >Eddie
    >
     
    Dan Rogers, Nov 17, 2004
    #3
  4. Eddie

    Apparao Guest

    Hi Eddie,

    I have the same problem? Did you find a solution for this?

    I disabled the "Keep-Alives" property in the "Default Web Site Properties"
    and I still get 1% of my request with the error mentioned.

    please let me know if you have a solution for this.

    Thanks,
    Apparao

    "Dan Rogers" wrote:

    > Hi Eddie,
    >
    > This sounds like a known stale connection issue related to keep-alives in
    > the client side proxy. Try disabling keep-alives in the generated client
    > side proxy and let me know if that doesn't help.
    >
    > Regards
    >
    > Dan Rogers
    > Microsoft Corporation
    > --------------------
    > >From: (Eddie)
    > >Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
    > >Subject: Re: Could not establish secure channel for SSL/TLS
    > >Date: 19 Oct 2004 23:57:34 -0700
    > >Organization: http://groups.google.com
    > >Lines: 36
    > >Message-ID: <>
    > >References: <>
    > >NNTP-Posting-Host: 24.0.210.10
    > >Content-Type: text/plain; charset=ISO-8859-1
    > >Content-Transfer-Encoding: 8bit
    > >X-Trace: posting.google.com 1098255455 32597 127.0.0.1 (20 Oct 2004

    > 06:57:35 GMT)
    > >X-Complaints-To:
    > >NNTP-Posting-Date: Wed, 20 Oct 2004 06:57:35 +0000 (UTC)
    > >Path:

    > cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!news-out.cwi
    > x.com!newsfeed.cwix.com!border1.nntp.dca.giganews.com!nntp.giganews.com!news
    > .glorb.com!postnews1.google.com!not-for-mail
    > >Xref: cpmsftngxa10.phx.gbl

    > microsoft.public.dotnet.framework.aspnet.webservices:26181
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
    > >
    > >I still suspect a problem with the client side calling the
    > >webservice-- It looks like the ASP.Net client wants to use a stale
    > >connection.
    > >
    > >I built a little script which could hammer the webserice and log all
    > >netstats using port 443. Immediately AFTER the SSL/TLS error occurs,
    > >the old connection goes away and I see a newly established SSL
    > >connection to the CSS load balancer.
    > >
    > >For some reason, I suspect the framework wants to use a connection
    > >which has been reset or closed from the other end point or device, so
    > >it can't establish the secure channel that it was previously using.
    > >
    > >Again, this problem is intermittent- 99% of the time it works with
    > >SSL, but the odd instance where we lose a transaction (and basically
    > >lose money).
    > >
    > >Can someone from the microsoft team look into this? I highly suspect
    > >this is the scenario:
    > > 1) ssl connection established and talking (ie. everything looks
    > >good)
    > > 2) some network issue causes the connection to reset.
    > > 3) connection is reset on the css load balancer
    > > 4) connection is NOT reset on the aspnet client
    > > 5) aspnet client wants to use the zombied connection
    > > 6) Aspnet client errors with "Could not establish secure channel
    > > for SSL/TLS" because the connection it was trying to use a dead
    > > connection to the load balancer.
    > > 7) Next call to the webservice re-establishes a new SSL connection
    > >
    > >The trick is to verify that on a network connection reset, does the
    > >aspnet client actually know not to use the dead connection. Someone
    > >from Microsoft... please help!!!!
    > >
    > >Thanks,
    > >Eddie
    > >

    >
    >
     
    Apparao, Apr 19, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. C.W.
    Replies:
    1
    Views:
    5,995
  2. Jim Butler
    Replies:
    7
    Views:
    7,441
    Steven Cheng[MSFT]
    Jul 12, 2006
  3. Scott McFadden

    Could not establish secure channel for SSL/TLS

    Scott McFadden, Dec 18, 2003, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    172
    Scott McFadden
    Dec 18, 2003
  4. Ghislain Tanguay
    Replies:
    3
    Views:
    244
    suresh g
    Sep 3, 2004
  5. Luke Venediger

    Erratic SSL Error: Could not establish secure channel for SSL/TLS

    Luke Venediger, Oct 11, 2004, in forum: ASP .Net Web Services
    Replies:
    7
    Views:
    430
    Dan Rogers
    Nov 17, 2004
Loading...

Share This Page