Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] LDAP timeouts after Java upgrade

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] LDAP timeouts after Java upgrade

Chronological Thread 
  • From: Christopher Bongaarts <>
  • To:
  • Subject: Re: [grouper-users] LDAP timeouts after Java upgrade
  • Date: Thu, 21 May 2020 10:13:14 -0500
  • Dkim-filter: OpenDKIM Filter v2.11.0 49SY6719x5z9vq5k
  • Dmarc-filter: OpenDMARC Filter v1.3.2 49SY6719x5z9vq5k
  • Organization: University of Minnesota

On 5/20/2020 8:50 PM, Baron Fujimoto wrote:
Our F5 admins have provided the folling additional information regarding the configuration of our load balancer fronting the LDAP cluster:

F5 is configured with nPath (aka DSR, Direct Server Return)

Packets paths (where client=CAS, Server=LDAP):
- Client -> F5 -> Server
- Return packet is Server -> Client
  - bypasses F5, so F5 doesn't see full 3-way TCP handshake (SYN, SYN-ACK, ACK)
    - F5 sees SYN, ACK from client to server, but not SYN-ACK from server to client (sent via DSR)

F5 relies on idle timeout to server's Virtual IP (VIP)
- Timeout value = 51 seconds

The Idle timeout was selected based on recommendations in the following reference:

That seems like it might be a workable timeout for HTTP, but not for a persistent LDAP connection; I'd expect it to need to be much higher...

%% Christopher A. Bongaarts %% %%
%% OIT - Identity Management %% %%
%% University of Minnesota %% +1 (612) 625-1809 %%

Archive powered by MHonArc 2.6.19.

Top of Page