We have lots of HTTPS based application for which SSL key is added on AMD for SSL decryption but when I'm doing show ssldecr status for any of application server "session not seen from the beginning" count is very high. What does this mean? Any possible mitigation for this? Screenshot attached for reference. show-ssldecr-status.jpg
As per your screenshot the cipher suit you have is not supported by the AMD.
Review the below link for the supported/conditionally supported/unsupported ciphers.
Yes...That is correct...Application is using unsupported ciphers & we have some solution to sort it out. Area of concern is session not seen from the beginning.
What to do with this? Any suggestion.
May be related to monitoring of sessions with missing start of session. Change your settings if required.
You can include persistent TCP sessions in the TCP statistics and tune their monitoring if such an inclusion is required for comprehensive TCP reporting.
Review the below link for better understanding.
SSL decryption is very sensitive to packet loss. Ensure your data streams for analysis are ok.
Are there any packets being dropped? Take a look at the CAS Main menu -> traffic diagnostics - look at drops. If there are controlled/uncontrolled drops could mean the AMD is over utilized.
Or are there any missing packets from the streams? Filter on the AMD in the traffic diagnostics screen. Does the "Sequence number gap" graph appear? Is the gap rate high? This could mean that you are not getting all of the traffic necessary for monitoring or decrypting.
From the diagnostics menu - open AMD Statistics and go to the Packet Stats tab. Change the time range to "today" and select the AMD. Does the Received Packet Distribution graph show that all the packets are being analyzed or filtered due to software service definition. Additional packet information will be displayed here as well.