Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] LDAP timeouts after Java upgrade

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] LDAP timeouts after Java upgrade


Chronological Thread 
  • From: Christopher Bongaarts <>
  • To:
  • Subject: Re: [grouper-users] LDAP timeouts after Java upgrade
  • Date: Thu, 21 May 2020 10:13:14 -0500
  • Dkim-filter: OpenDKIM Filter v2.11.0 mta-p8.oit.umn.edu 49SY6719x5z9vq5k
  • Dmarc-filter: OpenDMARC Filter v1.3.2 mta-p8.oit.umn.edu 49SY6719x5z9vq5k
  • Organization: University of Minnesota

On 5/20/2020 8:50 PM, Baron Fujimoto wrote:
Our F5 admins have provided the folling additional information regarding the configuration of our load balancer fronting the LDAP cluster:

F5 is configured with nPath (aka DSR, Direct Server Return)

Packets paths (where client=CAS, Server=LDAP):
- Client -> F5 -> Server
- Return packet is Server -> Client
  - bypasses F5, so F5 doesn't see full 3-way TCP handshake (SYN, SYN-ACK, ACK)
    - F5 sees SYN, ACK from client to server, but not SYN-ACK from server to client (sent via DSR)

F5 relies on idle timeout to server's Virtual IP (VIP)
- Timeout value = 51 seconds

The Idle timeout was selected based on recommendations in the following reference:
- https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-12-1-0/4.html

That seems like it might be a workable timeout for HTTP, but not for a persistent LDAP connection; I'd expect it to need to be much higher...

--
%% Christopher A. Bongaarts %% %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%




Archive powered by MHonArc 2.6.19.

Top of Page