Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CE4AC1782F for ; Tue, 7 Oct 2014 18:31:42 +0000 (UTC) Received: (qmail 92186 invoked by uid 500); 7 Oct 2014 18:31:39 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 92116 invoked by uid 500); 7 Oct 2014 18:31:39 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 92105 invoked by uid 99); 7 Oct 2014 18:31:39 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Oct 2014 18:31:39 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of lee.brewer@vanderbilt.edu designates 65.55.169.100 as permitted sender) Received: from [65.55.169.100] (HELO na01-bl2-obe.outbound.protection.outlook.com) (65.55.169.100) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Oct 2014 18:31:34 +0000 Received: from BY2PR08CA002.namprd08.prod.outlook.com (10.242.32.42) by BL2PR08MB356.namprd08.prod.outlook.com (10.141.89.150) with Microsoft SMTP Server (TLS) id 15.0.1044.10; Tue, 7 Oct 2014 18:31:11 +0000 Received: from BN1BFFO11FD058.protection.gbl (2a01:111:f400:7c10::1:181) by BY2PR08CA002.outlook.office365.com (2a01:111:e400:2c2a::42) with Microsoft SMTP Server (TLS) id 15.0.1034.13 via Frontend Transport; Tue, 7 Oct 2014 18:31:10 +0000 Received: from mailgate.vanderbilt.edu (129.59.15.81) by BN1BFFO11FD058.mail.protection.outlook.com (10.58.145.13) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Tue, 7 Oct 2014 18:31:10 +0000 Received: from ITS-HCWNEM121.ds.vanderbilt.edu (10.1.154.71) by VUIT-HCWNEM173.vanderbilt.edu (10.1.140.93) with Microsoft SMTP Server (TLS) id 14.3.174.1; Tue, 7 Oct 2014 13:30:13 -0500 Received: from ITS-HCWNEM105.ds.vanderbilt.edu ([10.1.154.96]) by ITS-HCWNEM121.ds.vanderbilt.edu ([10.1.154.71]) with mapi id 14.03.0174.001; Tue, 7 Oct 2014 13:30:38 -0500 From: "Brewer, Edward L" To: "users@tomcat.apache.org" Subject: Help with Apache Tomcat/7.0.53 SSL issue Thread-Topic: Help with Apache Tomcat/7.0.53 SSL issue Thread-Index: Ac/iXMSVxBlQ858zQgSb0t+CYGGStA== Date: Tue, 7 Oct 2014 18:30:38 +0000 Message-ID: <986FC1CB53E9F24A8FBD3623AB56559760DAB5@ITS-HCWNEM105.ds.vanderbilt.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [129.59.15.136] Content-Type: multipart/related; boundary="_004_986FC1CB53E9F24A8FBD3623AB56559760DAB5ITSHCWNEM105dsvan_"; type="multipart/alternative" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:129.59.15.81;CTRY:US;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(10009020)(438002)(189002)(199003)(5423002)(19580395003)(99936001)(31966008)(109096001)(17760045003)(4396001)(19580405001)(16796002)(2501002)(6806004)(85306004)(66926002)(89122001)(99396003)(512954002)(86362001)(20776003)(229853001)(76482002)(64706001)(19617315012)(110136001)(21056001)(107046002)(66066001)(2351001)(107886001)(19627595001)(15202345003)(2656002)(46102003)(19625215002)(44976005)(50986999)(95666004)(120916001)(106466001)(80022003)(84326002)(67866002)(92566001)(71186001)(92726001)(19300405004)(88552001)(85852003)(15975445006)(18206015026)(75432002)(54356999)(16236675004)(87936001)(55846006)(33656002);DIR:OUT;SFP:1101;SCL:1;SRVR:BL2PR08MB356;H:mailgate.vanderbilt.edu;FPR:;MLV:sfv;PTR:mailgate.vanderbilt.edu;MX:1;A:1;LANG:en; X-Microsoft-Antispam: UriScan:; X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BL2PR08MB356; X-Forefront-PRVS: 035748864E Received-SPF: Pass (protection.outlook.com: domain of Vanderbilt.Edu designates 129.59.15.81 as permitted sender) receiver=protection.outlook.com; client-ip=129.59.15.81; helo=mailgate.vanderbilt.edu; Authentication-Results: spf=pass (sender IP is 129.59.15.81) smtp.mailfrom=lee.brewer@Vanderbilt.Edu; X-OriginatorOrg: vanderbilt.edu X-Virus-Checked: Checked by ClamAV on apache.org --_004_986FC1CB53E9F24A8FBD3623AB56559760DAB5ITSHCWNEM105dsvan_ Content-Type: multipart/alternative; boundary="_000_986FC1CB53E9F24A8FBD3623AB56559760DAB5ITSHCWNEM105dsvan_" --_000_986FC1CB53E9F24A8FBD3623AB56559760DAB5ITSHCWNEM105dsvan_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable To all, I am using Apache Tomcat 7.0.53 and I am having an intermittent issue with = SSL. I am currently running three environments (Dev, UAT, and Prod. Prod c= omprises 4 VMs (uname states version as "2.6.32-431.11.2.el6.x86_x86_64 = GNU/Linux" ) with each containing a local version of Java [ Java(TM) SE Run= time Environment (build 1.7.0_55-b13) Java HotSpot(TM) 64-Bit Server VM (b= uild 24.55-b03, mixed mode) ] As well Tomcat and Java are owned by the use= r running the app. The VMs are load balanced over two pair of LTMs (LTM1 b= alances node 1 and node 2; LTM2 balances node 3 and node 4). The test env= ironment is scaled down to just one LTM with two nodes and development is j= ust a single VM. Now, when I deployed dev and test I did not have any issues with SSL.... ev= erything went as planned. When I deployed into production, I started to ge= t complaints about timeouts to the service. After much troubleshooting... = we were able to discern, using curl, that in production the LTM was not get= ting a response back from the application (using TCPDUMP) intermittently. = Our LTMs are configured to server as a SSL proxy. On the VM, TCPDUMP show= s that traffic is being presented to the socket but there is no response. = As far as I can tell the three environments (TOMCAT and JAVA) are the same.= I find nothing in the logs from both access and catalina.out. When I re= start the servers the problem goes away for about one hour then it comes ba= ck rapidly. Using top and sar I do not see any issues with operating syste= m performance. Also, by going done to one node the problem persists. As = well here are the options that are in setenv.sh export JAVA_OPTS=3D"$JAVA_OPTS\ -verbosegc\ -Xms256m\ -XX:+DisableExplicitGC\ -Xmx2g" Here is the error that I see from curl curl: (52) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104 Help, Lee Brewer Lee Brewer | Application Developer | Information Technology | Vanderbilt Un= iversity lee.brewer@vanderbilt.edu | phone 615.343.2802 | it.vanderbilt.edu [Vanderbilt IT logo] --_000_986FC1CB53E9F24A8FBD3623AB56559760DAB5ITSHCWNEM105dsvan_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

To all,

 

I am using Apache Tomcat 7.0.53 and I am having an i= ntermittent issue with SSL.  I am currently running three environments= (Dev, UAT, and Prod. Prod comprises 4 VMs  (uname  states versio= n as  “2.6.32-431.11.2.el6.x86_x86_64 GNU/Linux” ) with each containing a local version of Java [ Java(TM) SE Runtime Envir= onment (build 1.7.0_55-b13)  Java HotSpot(TM) 64-Bit Server VM (build = 24.55-b03, mixed mode) ]  As well Tomcat and Java are owned by the use= r running the app.  The VMs are load balanced over two pair of LTMs (LTM1 balances node 1 and node 2;  LTM2 balance= s node 3 and node 4).  The test environment is scaled down to just one= LTM with two nodes and development is just a single VM. 

 

Now, when I deployed dev and test I did not have any= issues with SSL…. everything went as planned.  When I deployed = into production, I started to get complaints about timeouts to the service.=   After much troubleshooting… we were able to discern, using curl, that in production the LTM was not getting a response= back from the application (using TCPDUMP) intermittently.   Our = LTMs are configured to server as a SSL proxy.  On the VM, TCPDUMP show= s that traffic is being presented to the socket but there is no response.  As far as I can tell the three environment= s (TOMCAT and JAVA) are the same.   I find nothing in the logs fr= om both access and catalina.out.  When I restart the servers the probl= em goes away for about one hour then it comes back rapidly.  Using top and sar I do not see any issues with operating system performanc= e.  Also,  by going done to one node the problem persists.  = As well here are the options that are in setenv.sh

 

export JAVA_OPTS=3D"$JAVA_OPTS\

-verbosegc\

-Xms256m\

-XX:+DisableExplicitGC\

-Xmx2g"

 

 

Here is the error that I see from curl

 

curl: (52) SSL read: error:00000000:lib(0):func(0):r= eason(0), errno 104

 

Help,
Lee Brewer

 

Lee Brewer | Application Develope= r | Information Technology | Vanderbilt University
lee.brewer@vanderbilt.edu | phone 615.343.2802 | it.vanderbilt.edu <= /p>

3D"Vand=

 

--_000_986FC1CB53E9F24A8FBD3623AB56559760DAB5ITSHCWNEM105dsvan_-- --_004_986FC1CB53E9F24A8FBD3623AB56559760DAB5ITSHCWNEM105dsvan_--