Clovertech

connection issue when server side is vpn

Clovertech Forums Read Only Archives Cloverleaf Cloverleaf connection issue when server side is vpn

  • Creator
    Topic
  • March 12, 2014 at 1:38 pm #54092
    Yuhong Snyder
    Participant

      we are having connection issue on one of our application. my side is client and vendor side is server, we both use mlp_tcp.dll. I believe their side is using multi server.

      however, we observe the continuing disconnection every 20 mins, and it will not come back sometimes for whole night.

      when it is disconnected, our side shows our process openning but their side shows as up, and also, when we run netstat, their side shows 2  establisthed connections.  when I run netstat on my side, sometime it comes back with result like below, what exactly does the last record mean here? could that be an issue?  

      tcp4       0      0  10.x.x.x.52217        216.x.x.x.23201    SYN_SENT

      f10006000c842c08 dgram       0      0 f1000100132018f8                0                0                0 /dev/.SRC-unix/SRCp6Igaj

    • Creator
      Topic
    Viewing 6 reply threads
    • Author
      Replies
      • March 12, 2014 at 8:58 pm #80121
        Tom Rioux
        Participant

          Is the other side a Cloverleaf engine too?   It sounds like they don’t have the settings for the multi-server configuration set properly on the server side.   They need to make sure that the maximum number of clients is set properly (depending upon the number of clients connecting).   Also, they need to be sure they are saving the client IP and Port to the Driver Control.

          It sounds like they are connecting to one inbound connection and never letting it go…

          Hope it helps…

        • March 13, 2014 at 1:21 pm #80122
          Yuhong Snyder
          Participant

            Yes, the other side is cloverleaf engine, and they are using multi server.  we send heartbeat message every 5 mins and expect the ACK back, but however, every a few messages we don’t get the ACK back but another side did send the ACK, they monitored and found out our side is sending SYN message to them, and their side’s connection status shows as ‘up’ but our side thinks it is down. since the connections reachs the limit eventually so they cannot establish more connections and will not release the established connections (even our side thinks it is down). our side the interface stays as opening for hours but their side still shows as up.  this goes as a cycle.

          • March 13, 2014 at 2:09 pm #80123
            Rob Abbott
            Keymaster

              The VPN or firewall is probably dropping the connection without notifying either end.  This is why one side thinks it’s still connected.

              Suggest increasing the frequency of the heartbeats or decreasing the tcp keepalive interval at the operating system level on either end.

              Rob Abbott
              Cloverleaf Emeritus

            • March 13, 2014 at 4:13 pm #80124
              Max Drown (Infor)
              Keymaster

                Here are my notes on VPN’s and firewalls.

                -- Max Drown (Infor)

              • March 17, 2014 at 5:34 pm #80125
                Yuhong Snyder
                Participant

                  our cloverleaf is 5.6, there is setup in server.ini as below:

                  [firewall]

                  rmi_exported_server_port= xxxxservername

                  also it is HA , for example, one node is xxx.xxx.xxxx.65, another node is 66, but the HA itself should be 100.

                  what we observed when we run netstat is: when our side is server, the connnection is showsing as 100 , but when our side is client, it could be showing as 65 or 66 on vendor side, is that normal ?

                • March 17, 2014 at 5:38 pm #80126
                  Yuhong Snyder
                  Participant

                    also vendor side has verified their configuration and it is correct

                  • March 18, 2014 at 12:58 pm #80127
                    Bob Richardson
                    Participant

                      Greetings,

                      We run into connectivity battles often as our site is doing business with more outside (remote) vendors and medical centers.

                      One factor that comes up frequently is:

                      (1) The firewall timeouts need to be in sync, that is if they are configured

                           to timeout after two hours then our side must be configured to timeout

                           identically.

                      (2) The local OS TCP keepalive setting must fall within the firewall timeout

                           window.  For us on AIX Unix that is the default of 2 hours.

                      (3) Part of the sync up tasks include verifying the encryption (security)

                          settings between us and them, that is, they must agree or be

                          acceptable otherwise connections can drop.  I confess this part is

                          beyond my skill level – we have advanced network staff handling

                          these tasks.

                      I hope this helps you out.

                      Good luck!

                  • Author
                    Replies
                  Viewing 6 reply threads
                  • The forum ‘Cloverleaf’ is closed to new topics and replies.