cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1003
Views
0
Helpful
6
Replies

Session loss through Content Switch with WebSEAL

StephenGlenn
Level 1
Level 1

Hi there

We have an online application currently undergoing performance testing. Basically the design is a J2EE application running in WebSphere protected by the a Tivoli Access Manager WebSEAL infrastructure.

When the test hits the WebSEAL directly everything is fine. But when the content switches are used we get about 60% failure as the session seems to be trying to authenticate an already authenticated session. Any thoughts as to why this behaviour may be happening when the switches are used would be really appreciated.

Cheers

Stephen

6 Replies 6

Gilles Dufour
Cisco Employee
Cisco Employee

as always a sniffer trace is the best way to know what is going on.

But based on the information you provided, I would guess a requests from a same client are loadbalanced between different servers which is why the authentication is request a few times.

Are you using any form of stickyness ?

Sticky source ip or arrowpoint cookies ?

If not I would suggest to turn it on.

If yes, please capture a 'sho running-config' and attach it to this thread so I can review it.

Thanks,

Gilles.

Thanks for rating

Stephen, Gilles,

I'm having the same issue with the same configuration. I have the WebSeal servers on AIX boxes directly homed to the CSS and the WebSphere and Tivoli servers running on the back end. I can get to my home page, but it does get content and authentication from the back end servers. I can show flows being initiated and answered from the front end to the back end servers.

My config is attached. I'm using two VLANs, one to the front end and the other to the backend & network. From all my tests, I cannot get complete content.

These servers and configurations work fine not connected to the CSS.

Gilles, as you know I'm using a 11501 CSS. All connections are coming in on port 443. Other ports are set up in rules for LDAP and other purposes (as identifed by the developers). I only see port 443 connections, but flows show dynamically assigned ports to the backend servers.

My config is attached.

Jim

Jim / Giles

I believe we have sorted our problem. Our network provider has admitted that the Content switches were not configured as Full Duplex but our WebSEAL servers were. So under load we saw our problems.

Not sure if that is your problem

Cheers

Stephen

Stephen,

No, we have all the boxes and switches at out fingertips. Could you post a sanitized version of your config to see if you're dowing anything I should (or you could look at mine and make recommendations).

I would really appreciate it. Now to convince my boss to send me to CSS class...

Jim

Jim,

I'll be glad to look at your config.

Just post it to this thread or send it to gdufour@cisco.com

Gilles

Thanks for rating.

Gilles,

I posted it earlier in this thread. If you can't get to it, please let me know.

FYI, on the other issue, they are requesting a RMA for the two CSSs. Can't duplicate problem.

Jim

Review Cisco Networking for a $25 gift card