Odd behaviour when pooling to a Tomcat server

Question

Hi all,&nbsp;
&nbsp;we are experiencing an odd issue when traffic which contains specific text is directed to a Tomcat server pool. The URI detection works fine and the tomcat app itself is shown in a iFrame in the browser. The issue we have is that when the Tomcat application redirects back to the main web address it seems that Tomcat intercepts the request and tries to process it and then generates a 404 error. If we wait 10-15 seconds and do a page refresh the page loads from WebSphere.  This does work on our current website and the Tomcat app is the same. The only difference I found was that the VIP for the new website being developed did not have a oneconnect profile defined whereas the working site did so I enabled this option. The redirect back from Tomcat now works as it does in our current production system but our developers are now saying other parts of the site are breaking with pages not loading completely so I have had to disable the oneconnect profile. This of course has brought back the Tomcat redirection issue again. &nbsp;
&nbsp;All I can tell you about the tomcat app is what one of our developers told me and thast is when the user clicks on a button to exit the tomcat app, some jsp code to clear the Tomcat session is run and then does an explicit 302 redirect back to a static page on our website.&nbsp;
&nbsp;So, can anyone tell me why oneconnect would have this effect on a redirect from a Tomcat server and if there are any possible ways to achieve the samew thing without using oneconnect profile?&nbsp;
&nbsp;tia&nbsp;
&nbsp;Craig&nbsp;

hooleylist · Answer

Hi Craig, 
&nbsp;  
&nbsp; This OneConnect wiki page has some good background on the feature: 
&nbsp; http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/oneconnect.html 
&nbsp;  
&nbsp; I'd guess the issue is with multiple HTTP requests on the same clientside connection which should be sent to separate pools.  Without OneConnect, LTM only makes a load balancing decision once per clientside TCP connection.  With OneConnect enabled, LTM will evaluate each HTTP request instead.  If the second request was going to the wrong pool/pool member, the server might not have a valid session for the request and consequently send a 404.   
&nbsp;  
&nbsp; If you're not using source address translation on the VS, I'd suggest creating a custom OneConnect profile with a 255.255.255.255 source mask and adding that to the VS.  This ensures that serverside connections are only reused for the same client IP address.  As a result, server logs will accurately reflect the true client IP address.  If you are using SNAT on the VS, then it's most efficient to use the default OneConnect profile with a /0 source mask (any serverside connection can be reused for any client IP). 
&nbsp;  
&nbsp; Aaron

craigm_17826 · Answer

Hi Hoolio,&nbsp;
&nbsp;thanks for your comments. I'll take a look at the OneConnect pages. The VSs do use SNAT and on this test VP, the pools it references (for both WebSphere and Tomcat) only contain one node each. In production there will be 2 or more in each pool though.&nbsp;
&nbsp;To add to this the senior developer has decided to recode their Tomcat app as well, so I'll let them try that first. In the meantime I'll read more about OneConnect.&nbsp;
&nbsp;thanks&nbsp;
&nbsp;Craig

craigm_17826 · Answer

Hi Hollio (or anyone for that matter!),  
&nbsp;  
&nbsp; We still haven't nutted this out yet. The developers did some code changes on the Tomcat App side they thought may have causing the issue, but no go. There is one other difference the developers picked up which they think could be the issue. On the working environment when the BigIp accesses the tomcat pool a session variable called BigipServer is created and it has a Path of /online , /online being the text we look for in the URI to direct the traffic to the Tomcat server. On the environment that does not work the cookie to the Tomcat pool is created but it's Path is set to /. Is there anyway to set the path, or any ideas on why the path's would be different? I'm not doing anything explicitly to create these pool cookies, I assume it's a function of the BigIp. 
&nbsp;  
&nbsp; tia 
&nbsp;  
&nbsp; Craig &nbsp;

hooleylist · Answer

Hi Craig, 
&nbsp;  
&nbsp; Is this a persistence cookie?  Is the cookie name BIGipServer&lt; pool name &gt;?  If so, I don't think LTM sets the cookie with a path.  If you make a curl request for the virtual server, (curl -vk https://1.1.1.1/ or curl -v http://1.1.1.1/) do you see LTM setting the cookie with a path? 
&nbsp;  
&nbsp; I'd expect you'd need to be using an iRule to set the persistence cookie path.  If you wanted to do this you could in HTTP_RESPONSE using HTTP::cookie path. 
&nbsp;  
&nbsp; Aaron

hooleylist · Answer

Hi Craig, 
&nbsp;  
&nbsp; Regardless of whether this particular issue is related to the persistence cookie or not, it's a best practice to enable a OneConnect profile when using cookie persistence.  This allows LTM to parse each HTTP request on a TCP connection and select a different pool or pool member if necessary.  See the OneConnect article I posted for details from Deb on this. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Odd behaviour when pooling to a Tomcat server

7 Replies

Recent Discussions

redirect not working

Access azure app service using f5 LTM

Reliable resources for identifying IP addresses

Issue on license renewal

Viprion files on blades.

Related Content

F5 monitor for Tomcat/Pega

Form Based Authentication with Tomcat not working on F5

Apache Tomcat Remote Code Execution via JSP upload (CVE-2017-12615 / CVE-2017-12617)

Apache Tomcat Remote Code Execution on Windows (CVE-2019-0232)

LTM Policy - Is there a way to create policy with non Case Sensitive behaviour