1 2 Previous Next 26 Replies Latest reply on Mar 9, 2016 7:15 AM by Bill Robinson

    Load balancer setup question

    Mike Reider

      Hi all, we have 2 app servers setup (BSA 8.3 SP2 running on RHEL63, Oracle 11g)

       

      we have a F5 load balancer configured to rout requests for Console to App server logins (9840) and App Servers (9841)

       

      I ran blasadmin -a on both app servers,

       

      blasadmin –a set AuthServer AppServiceURLs service:appsvc.bladelogic:blsess://F5-vip.server.com:9841
      blasadmin –a set AppServer ValidateClientIpAddress false
      blasadmin –a set AppServer ValidateRequestURL false


      When I try to authenticate thru the Console, I am using the load balancer name and 9840


      bladelogic-si.hostname.com  SRP   9840

       

      I keep getting Cannot connect to : "service:authsvc.bladelogic:blauth://bladelogic-si.hostname.com:9840" - connection reset..


      Am I missing a config step somewhere?

       

      This is the F5 config screen,

       

      1.png

        • 1. Re: Load balancer setup question
          R V

          Does changing "F5-vip.server.com" to "bladelogic-si.hostname.com" in your first blasadmin-command help?

          • 2. Re: Load balancer setup question

            Also could you please check the hosts file for the entry of hosts for the communication on both server Console & Appserver?

            • 3. Re: Load balancer setup question
              Mike Reider

              I ran the blasamin like this,

               

              blasadmin –a set AuthServer AppServiceURLs service:appsvc.bladelogic:blsess://bladelogic-si.hostname.com:9841


              I can ping the load balancer both from my console client box and both appservers, the customer has DNS, so its not a connection issue


              • 4. Re: Load balancer setup question

                Mike,

                Can you confirm where the TCP RST is originating from? Do you see anything either of the config server logs when you try to connect? Did you restart the appservers after making the blasadmin changes?

                • 5. Re: Load balancer setup question

                  Mike,

                  Also, the LB needs to be configured "sticky" in order to persist the Appserver sessions. Are you configured thusly?

                  • 6. Re: Load balancer setup question

                    Before you try NSH via proxy stuff, don't forget to also change the ProxyServiceURL setting

                    • 7. Re: Load balancer setup question
                      Mike Reider

                      restarted both app servers,

                       

                      looking at the appserver.log on both appservers, we are getting these constant auth. requests from the load balancer VIP (174.118.89.10, 147.118.89.11)

                       

                      these are coming in every second. The network admin confirmed that the sessions are setup to be persistent/sticky, and that the persistent timeout is set to Indefinite.  The network admin is asking if BMC has any documentation on the exact F5 settings that are typically used. I found this doc (https://kb.bmc.com/infocenter/index?page=content&id=KA288510&actp=search&viewlocale=en_US&searchid=1379962613261), but it doesnt list out exact F5 config settings, I think we are missing something

                       

                      also, I opened up exports and users.local on both app servers for troubleshooting but that doesnt seem to be whats blocking the connection

                       

                      [23 Sep 2013 14:42:07,695] [Client-Connections-Thread-4] [WARN] [Anonymous:Anonymous:147.118.89.10] [Client] Connection closed by /147.118.89.10:33044 before pre-authentication handshake could be completed.

                      [23 Sep 2013 14:42:07,695] [Client-Connections-Thread-4] [WARN] [Anonymous:Anonymous:147.118.89.10] [Client] Error authorizing the connection

                      [23 Sep 2013 14:42:07,695] [Client-Connections-Thread-4] [INFO] [Anonymous:Anonymous:147.118.89.10] [Client] Connection disconnecting: id = 1225

                      [23 Sep 2013 14:42:09,238] [Client-Connections-Thread-5] [WARN] [Anonymous:Anonymous:147.118.89.11] [Client] Connection closed by /147.118.89.11:33611 before pre-authentication handshake could be completed.

                      [23 Sep 2013 14:42:09,238] [Client-Connections-Thread-5] [WARN] [Anonymous:Anonymous:147.118.89.11] [Client] Error authorizing the connection

                      [23 Sep 2013 14:42:09,238] [Client-Connections-Thread-5] [INFO] [Anonymous:Anonymous:147.118.89.11] [Client] Connection disconnecting: id = 1226

                      [23 Sep 2013 14:42:10,798] [Authentication-Service-Thread-1] [WARN] [::147.118.89.10] [Appserver] Connection closed by /147.118.89.10:38821 before pre-authentication handshake could be completed.

                      [23 Sep 2013 14:42:10,798] [Authentication-Service-Thread-1] [INFO] [::147.118.89.10] [Appserver] Authentication Connection closed

                      [23 Sep 2013 14:42:12,336] [Authentication-Service-Thread-2] [WARN] [::147.118.89.11] [Appserver] Connection closed by /147.118.89.11:55528 before pre-authentication handshake could be completed.

                      • 8. Re: Load balancer setup question

                        I am assuming 147.118.89.11 is your client? Can you delete any certs you have stored in your console, and try again?

                        • 9. Re: Load balancer setup question

                          If that doesn't work, can you tell me what happens when you get creds via the command line?

                          blcred cred -acquire -profile <profile> -username <username> -password <password>

                          • 10. Re: Load balancer setup question
                            Mike Reider

                            the 147.118.89.10 and 147.118.89.11 are 2 virtual IPs - theyre part of the F5 balancer. These 2 VIPs are constantly attempting to connect to the appserver. Its like they are closing the connection before the authservice has chance to authenticate - even though the persistence timeout is set to indefinite.

                             

                            I deleted the Certs from the console, but same connect error,

                             

                            Cannot connect to "service:authsvc.bladelogic:blauth://blauth://bladelogic=si.clientHostname.com:9840" - connectoin reset

                            • 11. Re: Re: Load balancer setup question
                              Mike Reider

                              when I run this on the desktop where Console is installed I get No authentication profile by the name of default, even though its there in the console

                               

                              2.png

                              • 12. Re: Load balancer setup question

                                Ok. I think the errors in the Config server log are just normal LB heart beat traffic. For the most part, those messages can be ignored. I don't think your console connection is ever making it over. Can the the LB Admin turn off the sensor? Do you get the same error message via blcred?

                                • 13. Re: Load balancer setup question

                                  do a blcred authprofile list  and see what it says is there.

                                  • 14. Re: Load balancer setup question
                                    Steffen Kreis

                                    Hi Mike,

                                     

                                    in order to avoid all the heartbeat messages from the LB in your logs, we add the following two entries to the log4j.properties for the server-deployment that gets targeted by your LB.

                                     

                                    so [BL_INSTALL_DIR]\NSH\br\deployments\[your_deployment]\log4j.properties

                                     

                                    #Additional  entries to reduce logging of F5 Load-Balancer Healthchecks

                                    log4j.logger.com.bladelogic.om.infra.auth.service.AuthSvcWorkerThread=ERROR

                                    log4j.logger.com.bladelogic.om.infra.auth.service.AuthenticationServiceImpl=WARN

                                     

                                    Cheers

                                    Steffen

                                    1 2 Previous Next