RSA Web Threat Detection: How to troubleshoot SSL Cache and 'Resume Cache Misses' in Varz
Originally Published: 2018-01-31
Article Number
Applies To
RSA Product/Service Type: Mitigator
RSA Version/Condition: 6.x
Issue
Tasks
- Are the organization's webservers configured for session reuse?
- What is the webserver cache size set to in Mb?
- How many SSL sessions does the Customer get in 4 hours?
- What is the size of the cache in their Filesystem? ie. /var/opt/silvertail/data/sslcache
Resolution
<silvertap
vmLimitMb="6000"
rssLimitMb="3000"
pcapBufMb="1024"
httpServerPort="<service.serviceClass.httpServerPort>"
sslSessionIdTimeoutSeconds="14400"
sslSessionCacheSize="200000"
sslSessionPersistPeriodSecs="30"
sslSessionPersistPath="/var/opt/silvertail/data/sslcache"
acceptXffFromPublicProxy="true"
clientIpHeaderName="true-client-ip"
Background
If we restart Silvertap,(or it goes offline somehow) how does that affect this SSL Cache?
What we see in the Varz log is not specifically about the SSLcache, we only see resume cache misses errors. An understanding of the differences and relationship between the two caches involved is needed here:
-- Webserver SSL Cache
-- SilverTap SSL Cache
-- SilverTap SSL Cache
The SSL information is exchanged between the browser and the Webapp and a session key is created. That session key is stored in the SSL Cache on the Webserver to reuse later (if this is configured*). The purpose of this is so that a key exchange is not required again in the same session as long as the cache does not get full. This is also subject to a timeout.
(*We would need to know if the organization's webserver is configured for session reuse)
The Silvertap is passive, it is just listening and stores a copy of the webserver's private key (configured with Certificate Manager) in its own (SilverTap) SSL Cache.
What happens if the SilverTap cache has a smaller cache than the webserver?
The session information would be discarded faster. Some returning users would have to reauthenticate more frequently than they would have if the SilverTap cache were larger than the Webserver SSL Cache.
What happens if the SilverTap service is taken down purposely or when it crashes?
When the service is stopped or unavailable the session cache still holds data.
That is, the tap but in persistent memory which is a separate configuration, and smaller than the normal cache memory.
When the tap comes back online, it retrieves the session information from the persistent memory while it discards any that are over the timeout limits and while any new SSL keys that were exchanged while it was offline are not in the SSL Cache(local memory) or the Persistent memory
So a config of sslSessionPersistPeriodSecs="30" means a copy from the SSL Cache Memory is put in the persistent memory every 30 seconds
So as long as the tap is able to hold a list bigger than the web server and it never stops listening to the exchanges of new SSL session keys, it will never have a resume error.
Related Articles
Configure the Cache Number of Views Flush the Cache Number of Views When one aserver is unreachable for cache flush the eserver retries all aservers. Number of Views General Configuration Number of Views How to change Operations Console password on AM 8.x Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
