ProxySG/ ASG/ SG VA is hitting the max default size for the SSL Session Cache.
If you have found that due to the amount of SSL traffic you have passing via the ProxySG / ASG / SG VA you may hit the max value of the SSL Session Cache. The impact of this is that you will see an increase in the CPU usage due to the SSL traffic.
In SGOS 188.8.131.52 and above you can now increase the SSL Session Cache to a maximum value of 1000000. To do this you will need to run the command below in the CLI:
# enable # config t #(config)ssl #(config ssl)set-session-cache_size <new_size>
This is a hidden CLI command, upon applying this command there is be no confirmation "OK" message in CLI prompt
You can verify the change has been executed by navigating under advanced console url https://x.x.x.x:8082/SSL/Statistics. New session cache size be shown under SSL Termination-->Session cache max limit and SSL Origination-->Session cache max limit
Starting from SGOS 184.108.40.206 session cache configured value is persisted across reboots and through upgrades but the session cache value is not exported in configuration backup e.g. show config does not report the presence of a configured value. SGOS 220.127.116.11 and below session cache change is not persistent across reboot.
SGOS 18.104.22.168 also has two additional command to set the session cache back to default size and display current session size using CLI.. Example given below
To set back to default size.
#config t Enter configuration commands, one per line. End with CTRL-Z. #(config)ssl #(config ssl)set-session-cache_size auto #(config ssl)view set-session-cache_size auto
Also note that when SSL session cache size is changed , existing cache is flushed and subsequent sessions (new connections) will perform full handshakes. Because of this if session cache size is changed during peak time of the day , SG may exhibit high CPU in SSL & Crypto untill session cache rebuilt is done. It is recommended to perform this change during off peak hours.
Subscribing will provide email updates when this Article is updated. Login is required.