> On Jan 10, 2017, at 8:30 AM, Daniel Rakaric <[email protected]> wrote: > > Hi, > > Recently our institution has been trying to implement a new load balancer. We > have tried this out in our pre-prod environment and test out to see how our > applications behave with this new implementation. > > So far, not a single application that is behind the load balancer that > requires CAS authentication works as the connection just times out during a > login request. Any externally hosted applications such as our vendor > applications that use our CAS to authenticate works with no issues. Also, any > application that is internally hosted that is not behind a load balancer > works as well. > > We were wondering if anyone has had a similar time-out issue while using a > load balancer, and how did you configure the load balancer to behave properly? > > Just to iterate, CAS is also behind a load balancer.
Several factors may be at play. We deployed recently using an F5 but, because as part of an initiative to deprecate old SSL/TLS protocols and ciphers, we set it up in routed mode (where F5 behaves like a gateway vs. SNAT and the like) so the CAS servers themselves can directly observe protocols/ciphers in use, trap deprecated ones and display a warning page. Anyhow, we discovered any CAS client host (configured with the CAS virtual address) on the same subnet as the CAS servers didn't work because of a layer-2 short circuit. The solution was to put the CAS servers on their own subnet (here a /28) with no other potential CAS clients on that same net. Other than that, CAS 4.2(?) on no longer requires session stickiness. We disabled it in the F5 and see traffic pretty evenly sprayed across all the servers w/ no ill effect. E.g. host1 serves the login page, and host2 accepts the POST. Tom. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BAB5D733-6816-4758-8D44-54D78556B7EA%40ucdavis.edu.
