2 Replies Latest reply on Jul 26, 2012 3:24 PM by mhar

    HTTP sessions to our online app lock up during 8.2.1P01 config saves

      We have a load-sharing cluster using multicast mac mode.  Before we upgraded to 8.2.1 on 2/12/12, we had major problems with sessions to our online HTTP/S application locking up with configuration saves on the firewall.  It also happened when making a change to the split-zone hosted DNS configuration (adding an A record, etc.).  The problem mostly went away with the upgrade to 8.2.1 and the faster config saves.  Prior to that, it would happen to me if I tried to do anything in our online app immediately after firewall config saving about 1 in 3 times.  After the 8.2.1 upgrade, it was difficult for me to get the problem to happen.  With a couple hours of testing on that Sunday after the maintenance window, I got it to happen a couple of times.  This was acceptable, but not great (we have thousands of concurrent users).  Since upgrading to 8.2.1P01, the problem appears to be back in greater frequency again.  It may be less frequent that before, but it's much worse than it was after the 8.2.1 upgrade.  Is anyone else experiencing this?


      I had a tech support case open on this before, but we had it closed with the 8.2.1 upgrade.  I'll be opening a new case, referencing the original, now, but I was hoping to get some input there, too.

        • 1. Re: HTTP sessions to our online app lock up during 8.2.1P01 config saves

          What does it mean when a session 'locks up?'  Do the sessions continue with PSH/ACKs and the firewall sends FINs or RSTs?  If you restart a session (a new SYN, SYN/ACK, ACK) does that new session get processed successfully (i.e. are 'current sessions' being denied or blocked or not processed but NEW sessions are allowed through)?  What does the audit say?  What do tcpdumps say?


          Do you have any Host or Domain objects in your policy which could cause acld to stop processing traffic?


          Do you have any Deny rules configured to block 'Filters' or 'Categories' of applications?  A rule which is set to Deny and has for its applications <File Sharing>(Filter) and <Gaming>(Filter) for instance.

          • 2. Re: HTTP sessions to our online app lock up during 8.2.1P01 config saves

            Thanks, for the reply, Sam.  Sessions that lock up either just sit there with a spinning mouse pointer until the TCP timeout (10 minutes for us for this rule) and fail with an empty IE window, or they eventually do come back and work several minutes later.


            We have no Host or Domain objects.  We also have no deny rules to block Filters or Categories of applications.


            I haven't done packet captures yet since this started back up.  However, we did quite a few packet captures before.  The firewall that was handling the traffic would send an [ACK] packet in response to the client's HTTP GET request.  However, that GET was never passed through the firewall to the web server load balancer on the other side of the firewall.  So the client sits and waits because the firewall sent the [ACK], but the GET never made it to the server, so nothing came back to the PC.  I'm guessing that I will see the same behavior now when I do packet captures.