Change SSL Session Cache size on ProxySG / ASG / SG VA

book

Article ID: 169974

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS SWG VA-100

Issue/Introduction

ProxySG/ ASG/ SG VA is hitting the max default size for the SSL Session Cache.

Environment

If you have found that due to the amount of SSL traffic you have passing via the ProxySG / ASG / SG VA you may hit the max value of the SSL Session Cache. The impact of this is that you will see an increase in the CPU usage due to the SSL traffic.

Resolution

In SGOS 6.6.5.11 and above you can now increase the SSL Session Cache to a maximum value of 1000000. To do this you will need to run the command below in the CLI:

# enable
# config t
#(config)ssl
#(config ssl)set-session-cache_size <new_size>

 

Notes -

  1. This is a hidden CLI command, upon applying this command there is be no confirmation "OK" message in CLI prompt
  2. You can verify the change has been executed by navigating under advanced console url https://x.x.x.x:8082/SSL/Statistics. New session cache size be shown under SSL Termination-->Session cache max limit  and SSL Origination-->Session cache max limit
  3. Starting from SGOS 6.7.4.4 session cache configured value is persisted across reboots and through upgrades but the session cache value is not exported in configuration backup e.g. show config does not report the presence of a configured value. SGOS 6.7.4.3 and below session cache change is not persistent across reboot.
  4. SGOS 6.7.4.4 also has two additional command to set the session cache back to default size and display current session size using CLI.. Example given below

To set back to default size.

#config t
Enter configuration commands, one per line.  End with CTRL-Z.
#(config)ssl
#(config ssl)set-session-cache_size auto
#(config ssl)view set-session-cache_size
auto

And when its changed from default size

#(config ssl)set-session-cache_size 200000
#(config ssl)view set-session-cache_size
200000

Also note that when SSL session cache size is changed , existing cache is flushed and subsequent sessions (new connections) will perform full handshakes. Because of this if session cache size is changed during peak time of the day , SG may exhibit high CPU in SSL & Crypto untill session cache rebuilt is done. It is recommended to perform this change during off peak hours.