connection issue when server side is vpn

[Yuhong Snyder]

we are having connection issue on one of our application. my side is client and vendor side is server, we both use mlp_tcp.dll. I believe their side is using multi server.

however, we observe the continuing disconnection every 20 mins, and it will not come back sometimes for whole night.

when it is disconnected, our side shows our process openning but their side shows as up, and also, when we run netstat, their side shows 2  establisthed connections.  when I run netstat on my side, sometime it comes back with result like below, what exactly does the last record mean here? could that be an issue?  

tcp4       0      0  10.x.x.x.52217        216.x.x.x.23201    SYN_SENT

f10006000c842c08 dgram       0      0 f1000100132018f8                0                0                0 /dev/.SRC-unix/SRCp6Igaj

Topic

[Tom Rioux]

Is the other side a Cloverleaf engine too?   It sounds like they don’t have the settings for the multi-server configuration set properly on the server side.   They need to make sure that the maximum number of clients is set properly (depending upon the number of clients connecting).   Also, they need to be sure they are saving the client IP and Port to the Driver Control.

It sounds like they are connecting to one inbound connection and never letting it go…

Hope it helps…

[Yuhong Snyder]

Yes, the other side is cloverleaf engine, and they are using multi server.  we send heartbeat message every 5 mins and expect the ACK back, but however, every a few messages we don’t get the ACK back but another side did send the ACK, they monitored and found out our side is sending SYN message to them, and their side’s connection status shows as ‘up’ but our side thinks it is down. since the connections reachs the limit eventually so they cannot establish more connections and will not release the established connections (even our side thinks it is down). our side the interface stays as opening for hours but their side still shows as up.  this goes as a cycle.

[Rob Abbott]

The VPN or firewall is probably dropping the connection without notifying either end.  This is why one side thinks it’s still connected.

Suggest increasing the frequency of the heartbeats or decreasing the tcp keepalive interval at the operating system level on either end.

Rob Abbott
Cloverleaf Emeritus

[Max Drown (Infor)]

Here are my notes on VPN’s and firewalls.

-- Max Drown (Infor)

[Yuhong Snyder]

our cloverleaf is 5.6, there is setup in server.ini as below:

[firewall]

rmi_exported_server_port= xxxxservername

also it is HA , for example, one node is xxx.xxx.xxxx.65, another node is 66, but the HA itself should be 100.

what we observed when we run netstat is: when our side is server, the connnection is showsing as 100 , but when our side is client, it could be showing as 65 or 66 on vendor side, is that normal ?

[Yuhong Snyder]

also vendor side has verified their configuration and it is correct

[Bob Richardson]

Greetings,

We run into connectivity battles often as our site is doing business with more outside (remote) vendors and medical centers.

One factor that comes up frequently is:

(1) The firewall timeouts need to be in sync, that is if they are configured

     to timeout after two hours then our side must be configured to timeout

     identically.

(2) The local OS TCP keepalive setting must fall within the firewall timeout

     window.  For us on AIX Unix that is the default of 2 hours.

(3) Part of the sync up tasks include verifying the encryption (security)

    settings between us and them, that is, they must agree or be

    acceptable otherwise connections can drop.  I confess this part is

    beyond my skill level – we have advanced network staff handling

    these tasks.

I hope this helps you out.

Good luck!

[Author]

Replies