Hello Chris,
Please see my reply below in line.
Thanks & Regards,
Raghav
On 30/04/20, 9:23 AM, "Christopher Schultz" <ch...@christopherschultz.net>
wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Raghav,
On 4/29/20 22:26, Ragavendhiran Bhiman (rabhiman) wrote:
> The below is the executer element.
>
> <Executor name="AdminExecutorPool" namePrefix="admin-http-pool"
> maxThreads="450" minSpareThreads="5"/>
>
> I also captured the network pcap and able to see many RST packets
> in between that is marked as RED in wireshark.
Okay, so far you have told us:
1. You are using Tomcat 8.5.29
[Raghav] yes correct.
2. You have an <Executor> with 450 threads in it
[Raghav] Executor has 450 threads.
3. You see "lots of threads"
[Raghav] Yes above 450 threads or all the. 450 threads are alive.
4. You are seeing lots of RST packets.
[Raghav]I can provide one snapshot of pcap analyisis after the application data
exchange only I am able to see the RST packet which I see could be ok or sent
for socket closing.
We can't help you without more details. Pretend we aren't looking at
your screen as you investigate.
How many threads are you seeing? More than 450? How many, exactly?
What are the names of the threads?
[Raghav] Yes all the 450 threads are alive.
Some things I have noticed that seem ... suspicious.
1. Your sslImplementationName is invalid.
[Raghav] is the SSL implementation name has to be changed? What is the SSL name
to be used?
2. You have a 5-minute keepAliveTimeout -- which sounds insanely high
- -- and an infinite number of keepalive requests. Are you fronting
Tomcat with a load-balancer or other reverse-proxy?
[Raghav]. Yes, 5 minutes timeout is high. I already informed to the team. But
people are saying previous versions are working properly where the large number
of threads are not there.
I think the threads are based on the number of requests is it true?
3. You have sendReasonPhrase="true" which indicates that you are
working with clients which violate the HTTP specification.
[Raghav] this doesn't matter. I don’t know how this has been set to true.
4. You have an infinite "maxSavePostSize" setting. Are you expecting
many users to perform unauthenticated POSTs where the POST body needs
to be very large, and saved-and-replayed during the authentication step?
[Raghav] This is not known.
5. Your keystoreType is PKCS11 which is usually a hardware keystore.
Fine. But you have a truststoreType of PKCS11 as well. Are you using a
hardware trust store as well?
[Raghav] Not sure about this. There are many ciphers defined along with this as
well.
- -chris
>
> Thanks & Regards,
>
> Raghav
>
>
> On 29/04/20, 9:52 PM, "Mark Thomas" <ma...@apache.org> wrote:
>
> On 29/04/2020 14:53, Ragavendhiran Bhiman (rabhiman) wrote:
>> Yes you are correct apache tomcat version 8.5.29 being used.
>>
>> On 29/04/20, 7:22 PM, "Ragavendhiran Bhiman (rabhiman)"
>> <rabhi...@cisco.com> wrote:
>>
>> Hi Mark,
>>
>> We have configured 450 threads for port number 443 with the
>> following executer
>
> That is a Connector element, not the executor element. We need
> both.
>
> Mark
>
>
>>
>> <Connector port="443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> SSLEnabled="true" maxKeepAliveRequests="-1"
>> keepAliveTimeout="300000" executor="AdminExecutorPool"
>> maxSavePostSize="-1" scheme="https" secure="true"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" compression="on"
>> compressableMimeType="text/html,text/json,text/javascript,text/css,ap
plication/javascript"
>
>>
> sslEnabledProtocols="${sslEnabledProtocolsHighSecurity}" server="
> "
>> allowUnsafeLegacyRenegotiation="false" clientAuth="false"
>> bindOnInit="false" URIEncoding="UTF-8"
>> useBodyEncodingForURI="true" keystoreType="PKCS11"
>> keyAlias="tomcat" truststoreType="PKCS11"
>> sendReasonPhrase="true"
>> sslImplementationName="org.apache.tomcat.util.net.jsse.IseJSSEImpleme
ntation"
>
>>
>
>> />
>>
>> I could see 450 threads open for servicing the clients in one
>> specific setup only what could be the reason?
>>
>> Thanks a lot.
>>
>> Regards,
>>
>> Raghav
>>
>>
>> On 29/04/20, 7:18 PM, "Mark Thomas" <ma...@apache.org> wrote:
>>
>> On 29/04/2020 14:24, Ragavendhiran Bhiman (rabhiman) wrote:
>>> Apache version 8.5.29
>>
>> Given this is the Apache Tomcat mailing list and that that is a
>> valid, although rather old, Tomcat version number I assume you
>> mean you are using Apache Tomcat 8.5.29.
>>
>> Generally, please also include JVM vendor and version being used
>> as well as OS.
>>
>> <snip/>
>>
>>> Hi,
>>>
>>> I am seeing too many open threads to port number 443 with
>>> TLSv1.2, what could be the primary reason for the same?
>>
>> Open threads? That doesn't make sense. Do you mean open ports,
>> threads (idle, active, both) or something else?
>>
>> How are you defining "too many"? More than you expect? There is
>> an error? Something else?
>>
>>> How can I analyze the problem ? Any particular pointers if you
>>> could provide will be more helpful.
>>
>> That depends on what the problem turns out to be.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>
>>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>
>>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl6qS5wACgkQHPApP6U8
pFhTQQ/+NrQfOAJykekcrW6sX1YuB0W5MS3DnZBEGxVW2FYqGK5BuJR6LxF7wiZ8
EuGLgFW0j0Taxq9oFG6zPkcKcd8bcKImpCJcAQ8/K8WLQaXx3qY9i0DLteQg2GxM
ZfiQ+ssc2UTvVgKQ9Qx3w+ekS/j51IgDkNg3Xde1Z89m/8UPxwqUzKAbKl7vtFmT
49DOJ56sXS5GTIwyG/WGTg4LhV7ZbCBaQpGoGhzvsUUWr0PsCNYLH7GNbMPJueiA
1dpclZNreLbx7BJ/kXGEb5y6Jqs0jpcWERZBejrdgbbMraYvFOBt7YvHS7ALnztn
7C1XgIdikcZF14dkw8GROYGJpTjoqCnOqcTNsgB1HUZit7o4CnNxvVL4kD6jTokh
t/ZOddDLfbLQRf3ITMgrJK2tu/5r+xw1SqEUDBoD2F4sA65Jvojm8E2yE509Pa5W
pw+5tNJ3MObXXwejWs+l9Aut/hCGfhERyucHOEhhON67r0y7R4KzceHeAVhuW3wY
GHdEGcC53pxEXtzs8ChP3hO6ybyEBylFodSssEgzwRNDcNOVAUXtvoEHTWTVkNEq
vPWe9dLBPFp+LrJCjicFaTdIPFHYSQLfiNGQJ3TMiA7LRgSQwnPlSPXMuzNSvBlA
w26mg6WzihtHE4cT1e0la4EuIlrHFSE4XoTEXahAfhLeN3EgGwE=
=JPPS
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
