Staff

Troubleshooting Tip: Connection is getting reset when PKI is being used due to cache size

Forum|Forum|1 year ago
September 27, 2024
0 replies
353 views

Description

This article describes how to identify if a connection is getting reset because of PKI 'Max HTTP Request Length' and how to resolve it. While using PKI URL Based Client Certificate under Server Policy -> Policy -> Advanced SSL Settings, If the incoming connection has a parameter size that exceeds the configured value at [Max HTTP Request Length] the connection will be reset.

Scope

FortiWeb.

Solution

How to identify if the connection is being blocked because of PKI URL the client Certificate 'max http request length'.

Debug the connection using the following commands:

diag debug reset
diag deb timestamp enable
diag debug flow filter http-detail 7
diag deb flow filter flow-detail 7
diag debug flow filter client-ip <client IP>
diag debug flow filter server-ip <VIP>
diag debug flow trace start
diag deb info
diag debug enable

In the debug outputs the following errors will be found:

<12:01:22>[work 2][flow] ssn 11310884 policy LabPolicy strm 0 dir 0 subclient 0 cache size 32864 exceed configured size 32768, deny
<12:01:22>[work 2][flow] ssn 11310884 policy LabPolicy strm 0 dir 0 subclient 0 error happend, deny

How to fix the issue: In the GUI, navigate to Server Policy -> Policy, select the related Policy -> Advanced SSL Settings -> Max HTTP Request Length (adjust its value according to the size in the debug output).

client certificate authentication

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded