My company hosts an internal CRM system which has had problems ever since IE9 came out. The main issue we see is when a user sends a request they may not get a response back from the server. I used Wireshark to begin testing and found that when a request is generated, it creates 2 SYN request on 2 different ports. Sometime a few minutes into working with a page, the browser seems to be unable to complete the SSL handshake, and the connection is reset by the load balancer. This is the packets 10 seconds after the end of a request, before trying to trigger the next request:
No. Time Source Destination Protocol Length
Info
6584 145.621085 Server IP Client IP TCP 60 https > 58831 [FIN,
ACK] Seq=16561 Ack=2019 Win=65700 Len=0
6585 145.621153 Client IP Server IP TCP 54 58831 > https [ACK]
Seq=2019 Ack=16562 Win=65660 Len=0
6586 167.806964 Client IP Server IP TLSv1 843 Application Data
6587 167.807143 Client IP Server IP TLSv1 827 Application Data
6588 167.809082 Server IP Client IP TCP 60 https > 58832 [RST,
ACK] Seq=4905 Ack=1246 Win=65700 Len=0
6589 167.809153 Server IP Client IP TCP 60 https > 58832 [RST]
Seq=4905 Win=0 Len=0
6590 167.809423 Client IP Server IP TCP 54 58831 > https [FIN,
ACK] Seq=2019 Ack=16562 Win=65660 Len=0
6591 167.810558 Client IP Server IP TCP 66 58836 > https [SYN]
Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
6592 167.810558 Client IP Server IP TCP 66 58835 > https [SYN]
Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
6593 167.811094 Server IP Client IP TCP 60 https > 58831 [ACK]
Seq=16562 Ack=2020 Win=65698 Len=0
6594 167.812368 Server IP Client IP TCP 62 https > 58836 [SYN,
ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=2
6595 167.812405 Client IP Server IP TCP 54 58836 > https [ACK]
Seq=1 Ack=1 Win=65700 Len=0
6596 167.812457 Server IP Client IP TCP 62 https > 58835 [SYN,
ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=2
6597 167.812479 Client IP Server IP TCP 54 58835 > https [ACK]
Seq=1 Ack=1 Win=65700 Len=0
6598 167.812632 Client IP Server IP TLSv1 184 Client Hello
6599 167.815598 Server IP Client IP TLSv1 1514 Server Hello
6600 167.815699 Server IP Client IP TCP 1514 [TCP segment of a reassembled PDU]
6601 167.815711 Client IP Server IP TCP 54 58836 > https [ACK]
Seq=131 Ack=2921 Win=65700 Len=0
6602 167.815756 Server IP Client IP TCP 1230 [TCP segment of a reassembled PDU]
6603 167.815835 Server IP Client IP TLSv1 803 Certificate, Server Hello Done
6604 167.815850 Client IP Server IP TCP 54 58836 > https [ACK]
Seq=131 Ack=4846 Win=65700 Len=0
6605 167.816744 Client IP Server IP TLSv1 380 Client Key Exchange, Change Cipher Spec,
Encrypted Handshake Message
6606 167.822524 Server IP Client IP TLSv1 113 Change Cipher Spec, Encrypted Handshake
Message
6607 167.822567 Client IP Server IP TLSv1 184 Client Hello
6608 167.824983 Server IP Client IP TLSv1 1514 Server Hello
6609 167.825088 Server IP Client IP TCP 1514 [TCP segment of a reassembled PDU]
6610 167.825104 Client IP Server IP TCP 54 58835 > https [ACK]
Seq=131 Ack=2921 Win=65700 Len=0
6611 167.825215 Server IP Client IP TCP 1230 [TCP segment of a reassembled PDU]
6612 167.825253 Server IP Client IP TLSv1 803 Certificate, Server Hello Done
6613 167.825264 Client IP Server IP TCP 54 58835 > https [ACK]
Seq=131 Ack=4846 Win=65700 Len=0
6614 167.825669 Client IP Server IP TLSv1 843 Application Data
6615 167.826125 Client IP Server IP TLSv1 380 Client Key Exchange, Change Cipher Spec,
Encrypted Handshake Message
6616 167.830088 Server IP Client IP TLSv1 113 Change Cipher Spec, Encrypted Handshake
Message
6617 167.927532 Server IP Client IP TCP 60 https > 58836 [ACK]
Seq=4905 Ack=1246 Win=65700 Len=0
6618 168.030388 Client IP Server IP TCP 54 58835 > https [ACK]
Seq=457 Ack=4905 Win=65640 Len=0
6619 411.149105 Client IP Server IP TCP 54 58835 > https [FIN,
ACK] Seq=457 Ack=4905 Win=65640 Len=0
6620 411.150829 Server IP Client IP TCP 60 https > 58835 [ACK]
Seq=4905 Ack=458 Win=65700 Len=0
6621 411.150908 Server IP Client IP TCP 60 https > 58835 [RST,
ACK] Seq=4905 Ack=458 Win=65700 Len=0
6622 413.318124 Client IP Server IP TCP 54 58836 > https [RST,
ACK] Seq=1246 Ack=4905 Win=0 Len=0
IE 8 did not have this issue as it only opens one SYN request per action. I'd love a way to make IE9 behave the same way and only open one syn per request.
Our connection is setup like this:
Computer > Load balancer > one of 3 servers
When a computer connects directly to any of the 3 servers we do not see this issue, it only seems to happen when connecting through the load balancer. We tried changing the connection timeout, but that didn't fix the problem. We also tried turning on Verify Once from the load balancer, but with no effect.
From the client side, we tried the following with no success:
Disabled activex Filtering
Force SSL 2.0
Disable Native XMLHTTP support
Putting the browser in compatability mode
forcing IE8 standards mode in Developer tools
At this point I'm out of ideas. Any suggestions are welcome.
