how to reset ssl stat

[Dany Demers]

hello all, I want to clear the SSL stat on my citrix ADC and I tried the clear global from the statistic menu in the GUI and it doesn't clear the SSL stat. I tried the 4 option available, Basic, full, basic global, full global but my ssl stat don't get reset. How do i reset these stat so that we can see how many connection are made by which protocol?

[Jens Dellner]

Good Morning Dany,

there are two ways to delete the ssl stats on your ADC. This command works on 13.1.33.52.

 

a) GUI

1. Traffic Management\SSL\Statistics

2. Clear Basic/Full

 

b) CLI

1. stat ssl [-clearstats ( basic | full )]

 

Source: https://developer-docs.citrix.com/projects/citrix-adc-command-reference/en/latest/ssl/ssl/

 

Best regards,

Jens

[Dany Demers]

 

Thanks for the reply but it seem there is a problem as it's not working on my box (I'm still on 13.0-85.32), see attached picture... I tried the GUI and the CLI and SSL stat still don't reset...

[Rhonda Rowland1709152125]

I think only clear stats "full" will remove the totals. 

 

It may in fact be a bug on this version of the code; I don't have access to test this specific one compared to the build I was using. 

But do make sure you have full admin rights and not a delegated admin that might be missing something.

 

Also stats are reset after a reboot (which I know isn't possible with product systems.)

Also may depend on whether you are looking at the global ssl stats (all hits to all objects) or a stat ssl vserver <vserver name>

 

 

If you just need an alternate way to temporarily audit the ssl ciphers in use on new connections in total or on specific vservers. See this thread where we used RESPONDER NOOP policies to log ciphers in use for all users on a given vserver with a GOTO Next expression; and then a separate policy to redirect users with the already identified unapproved ssl ciphers to an error page.  You could limit the amount of logging by restricting to hits to only a specific object on a page instead of every object.

https://discussions.citrix.com/topic/413011-capture-source-ips-on-vip-for-any-connections-which-are-using-weak-ciphers/

IF this isn't what you needed; then disregard.

 

 

 

[Dany Demers]

On 12/4/2022 at 6:49 PM, Rhonda Rowland1709152125 said:

I think only clear stats "full" will remove the totals. 

 

It may in fact be a bug on this version of the code; I don't have access to test this specific one compared to the build I was using. 

But do make sure you have full admin rights and not a delegated admin that might be missing something.

 

Also stats are reset after a reboot (which I know isn't possible with product systems.)

Also may depend on whether you are looking at the global ssl stats (all hits to all objects) or a stat ssl vserver <vserver name>

 

 

If you just need an alternate way to temporarily audit the ssl ciphers in use on new connections in total or on specific vservers. See this thread where we used RESPONDER NOOP policies to log ciphers in use for all users on a given vserver with a GOTO Next expression; and then a separate policy to redirect users with the already identified unapproved ssl ciphers to an error page.  You could limit the amount of logging by restricting to hits to only a specific object on a page instead of every object.

https://discussions.citrix.com/topic/413011-capture-source-ips-on-vip-for-any-connections-which-are-using-weak-ciphers/

IF this isn't what you needed; then disregard.

 

 

 

1 year later but thanks for that reply. We finally opted to use the ADM to have detailed stat but that's another good option for those who don't have ADM.