HTTPS Persistence Timeout Length


#1

I have my outbound polices set up like so:

I recently changed the default connection priority to Service Electric (from RCN) but all the devices on my network using HTTPS are still going out over RCN Cable due to the HTTPS persistence rule.

I have tried disconnecting a device from the network until the active session for its HTTPS connections timeout, but as soon as I reconnect them they still go out over RCN Cable. What is the length of the timeout when the HTTPS outbound route by source IP will expire?


#2

Which device are you testing from? 230, 219, 171, 150 default to RCN because the rules apply in table order top to bottom. As soon as one rule is matched, the session follows that rule, and the other rules are ignored.

When you say “changed the default connection priority to Service Electric” where and how did you do that? I doesn’t say that in any of the rules you showed here. If the device is not using the path you want, its probably due to the load balancing you set up in the WAN connections. You can override that in these rules, but in the examples shown you have rules pushing to RCN, and nothing pushing to Service Electric?


#3

A way to instantly break the SSL connections, create a new outbound policy rule for https traffic to the preferred WAN (priority works best) and put a check in the box for “terminate sessions on link recovery”.

That will kill the existing sessions and force a new connection to be established. Once all your traffic is moved over, you can disable the option (uncheck the box). Unless the goal is to keep https traffic on that WAN if at all possible - in which case leave it checked.


#4

I am testing from source IP’s not in those 4 rules.

230 prefers RCN but will failover to Service Electric.

219 & 150 must go out RCN as that is my static IP.

171 prefers RCN but will go out over Service Electric upon congestion.

All other machines on the network should use Service Electric, and upon congestion of that link, should fail over to RCN. The default rule at the bottom is set to Overflow, and you can see in the picture that Service Electric is the first priority connection, but here is the full rule:

The problem is that most of the other devices on my network that fall under that default rule are using HTTPS (set-top boxes that stream over HTTPS), so their connections are being kept open by the HTTPS persistence rule, even after the sessions terminate.


#5

That worked perfectly with the 2 devices I tested this morning. I am going to disable the rule, and test the other devices tonight and see if their cached routes were terminated by that rule since the devices were not online at the time.

Thanks for the help.