Hi All,
Our environment details 
OS: Oracle Linux 7.3
WAS: 8.5.5.14fp14
Dmg01
Cluster with 2 members (fnae01,fnae02)
Hardware load balancer in front of the cluster with no http or proxy used. Supposedly sticky session configured 
Scenarios 
1- if we connect to the App directly to one of the cluster the members all work fine.
Browsing, uploading, downloading...etc
2- if we connect to the App through the LB with one of the node(member) down, only one member up the other is down for the sake of testing , also all test services work fine 
Browsing, uploading, downloading...etc

3- If both of the cluster members up and when we login we can login successfully but when we tried to do any other services it force us to re-login and so on.
It seem that sticky session / affinity session not working

The only error we found in both cluster members is :
SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?


Note we are connecting on http port 9080

------------------------------
Ahmed
alssarty@yahoo.com
------------------------------

Hi Ahmed, can you be sure the SSLC0008E correlates with your access problem? I am suspicious it is just some bad health-check that you see when you check the logs that might mislead us.

Probably the best path to debug this is to capture a "HAR" file at the client and scrutinize the Set-Cookie activity from the clients perspective. If you'd like the websphere team at IBM to take a look, the simplest way to share sensitive data like the HAR output would be to open a support case, feel free to flag it for my (Eric Covener) attention and I will prioritize looking at it.  https://www.ibm.com/mysupport/s/

The only other likely culprit I can imagine is n/a for WAS: 8.5.5.14, let me know here if your application servers are actually 8.5.5.16 or later as there are additional complications if code in your application or third-party SSO a) looks at the client IP and b) the load balancer is not actually doing a good job with affinity.



------------------------------
Eric Covener
------------------------------

Original Message:
Sent: Tue June 16, 2020 10:59 AM
From: Ahmed Alsareti
Subject: Issue with App affinity session on was cluster active/active

Hi All,
Our environment details 
OS: Oracle Linux 7.3
WAS: 8.5.5.14fp14
Dmg01
Cluster with 2 members (fnae01,fnae02)
Hardware load balancer in front of the cluster with no http or proxy used. Supposedly sticky session configured 
Scenarios 
1- if we connect to the App directly to one of the cluster the members all work fine.
Browsing, uploading, downloading...etc
2- if we connect to the App through the LB with one of the node(member) down, only one member up the other is down for the sake of testing , also all test services work fine 
Browsing, uploading, downloading...etc

3- If both of the cluster members up and when we login we can login successfully but when we tried to do any other services it force us to re-login and so on.
It seem that sticky session / affinity session not working

The only error we found in both cluster members is :
SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?


Note we are connecting on http port 9080

------------------------------
Ahmed
alssarty@yahoo.com
------------------------------

Hi Eric Covener,
Attaching the HAR File.


​

------------------------------
Ahmed
alssarty@yahoo.com
------------------------------

Original Message:
Sent: Tue June 16, 2020 04:22 PM
From: Eric Covener
Subject: Issue with App affinity session on was cluster active/active

Hi Ahmed, can you be sure the SSLC0008E correlates with your access problem? I am suspicious it is just some bad health-check that you see when you check the logs that might mislead us.

Probably the best path to debug this is to capture a "HAR" file at the client and scrutinize the Set-Cookie activity from the clients perspective. If you'd like the websphere team at IBM to take a look, the simplest way to share sensitive data like the HAR output would be to open a support case, feel free to flag it for my (Eric Covener) attention and I will prioritize looking at it.  https://www.ibm.com/mysupport/s/

The only other likely culprit I can imagine is n/a for WAS: 8.5.5.14, let me know here if your application servers are actually 8.5.5.16 or later as there are additional complications if code in your application or third-party SSO a) looks at the client IP and b) the load balancer is not actually doing a good job with affinity.



------------------------------
Eric Covener

Original Message:
Sent: Tue June 16, 2020 10:59 AM
From: Ahmed Alsareti
Subject: Issue with App affinity session on was cluster active/active

Hi All,
Our environment details 
OS: Oracle Linux 7.3
WAS: 8.5.5.14fp14
Dmg01
Cluster with 2 members (fnae01,fnae02)
Hardware load balancer in front of the cluster with no http or proxy used. Supposedly sticky session configured 
Scenarios 
1- if we connect to the App directly to one of the cluster the members all work fine.
Browsing, uploading, downloading...etc
2- if we connect to the App through the LB with one of the node(member) down, only one member up the other is down for the sake of testing , also all test services work fine 
Browsing, uploading, downloading...etc

3- If both of the cluster members up and when we login we can login successfully but when we tried to do any other services it force us to re-login and so on.
It seem that sticky session / affinity session not working

The only error we found in both cluster members is :
SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?


Note we are connecting on http port 9080

------------------------------
Ahmed
alssarty@yahoo.com
------------------------------

Hello Ahmed,
please see this link for more details on the SSLC0008E message. I.e the SSLC0008E seems to be caused by an HTTP request being sent to an SSL enabled port. Unlikely that this is related to your problem.

Regarding your problem it seems that you have an issue with session affinity and/or the LTPA cookie. Is HTTP session persistence enabled? As you describe the probleme it seems that session affinity is not obeyed by the load-balancer and that requests are routed to the alternate cluster member.

Are you sure that it's the missing LtpaToken causing the re-login or is it probably because of the missing HTTP Session data? If you'd setup HTTP servers with the WAS Plugin (and load balance to these HTTP servers)  the WAS plug-in would take care of the session affinity.

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
#IBMChampion
------------------------------

Original Message:
Sent: Tue June 16, 2020 10:59 AM
From: Ahmed Alsareti
Subject: Issue with App affinity session on was cluster active/active

Hi All,
Our environment details 
OS: Oracle Linux 7.3
WAS: 8.5.5.14fp14
Dmg01
Cluster with 2 members (fnae01,fnae02)
Hardware load balancer in front of the cluster with no http or proxy used. Supposedly sticky session configured 
Scenarios 
1- if we connect to the App directly to one of the cluster the members all work fine.
Browsing, uploading, downloading...etc
2- if we connect to the App through the LB with one of the node(member) down, only one member up the other is down for the sake of testing , also all test services work fine 
Browsing, uploading, downloading...etc

3- If both of the cluster members up and when we login we can login successfully but when we tried to do any other services it force us to re-login and so on.
It seem that sticky session / affinity session not working

The only error we found in both cluster members is :
SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?


Note we are connecting on http port 9080

------------------------------
Ahmed
alssarty@yahoo.com
------------------------------

Hi Hermann Huebler,
Thank you for your reply, 
Actually we did All configuration required from the server/application side


------------------------------
Ahmed
alssarty@yahoo.com
------------------------------

Original Message:
Sent: Wed June 17, 2020 03:31 AM
From: Hermann Huebler
Subject: Issue with App affinity session on was cluster active/active

Hello Ahmed,
please see this link for more details on the SSLC0008E message. I.e the SSLC0008E seems to be caused by an HTTP request being sent to an SSL enabled port. Unlikely that this is related to your problem.

Regarding your problem it seems that you have an issue with session affinity and/or the LTPA cookie. Is HTTP session persistence enabled? As you describe the probleme it seems that session affinity is not obeyed by the load-balancer and that requests are routed to the alternate cluster member.

Are you sure that it's the missing LtpaToken causing the re-login or is it probably because of the missing HTTP Session data? If you'd setup HTTP servers with the WAS Plugin (and load balance to these HTTP servers)  the WAS plug-in would take care of the session affinity.

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
#IBMChampion

Original Message:
Sent: Tue June 16, 2020 10:59 AM
From: Ahmed Alsareti
Subject: Issue with App affinity session on was cluster active/active

Hi All,
Our environment details 
OS: Oracle Linux 7.3
WAS: 8.5.5.14fp14
Dmg01
Cluster with 2 members (fnae01,fnae02)
Hardware load balancer in front of the cluster with no http or proxy used. Supposedly sticky session configured 
Scenarios 
1- if we connect to the App directly to one of the cluster the members all work fine.
Browsing, uploading, downloading...etc
2- if we connect to the App through the LB with one of the node(member) down, only one member up the other is down for the sake of testing , also all test services work fine 
Browsing, uploading, downloading...etc

3- If both of the cluster members up and when we login we can login successfully but when we tried to do any other services it force us to re-login and so on.
It seem that sticky session / affinity session not working

The only error we found in both cluster members is :
SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?


Note we are connecting on http port 9080

------------------------------
Ahmed
alssarty@yahoo.com
------------------------------

Hello Ahmed,
just read again thru your original post where you stated: "Hardware load balancer in front of the cluster with no http or proxy used" so this means that you are not using the WAS plugin - right? How is stickiness configured there? Based on what does the LB maintain stickiness?

You mentioned that you enabled session cookies - but did you also configure session persistence under distributed settings?

You mentioned that you attached a .har file but unfortunately I can't find it. Can you try again please?

Thanks - Hermann

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
#IBMChampion
------------------------------

Original Message:
Sent: Wed June 24, 2020 05:51 AM
From: Ahmed Alsareti
Subject: Issue with App affinity session on was cluster active/active

Hi Hermann Huebler,
Thank you for your reply, 
Actually we did All configuration required from the server/application side

- enabled cookies
- affinity session 

there is no indication it's from our side, 
I am attaching the HAR file if you have time to take a look.

------------------------------
Ahmed
alssarty@yahoo.com

Original Message:
Sent: Wed June 17, 2020 03:31 AM
From: Hermann Huebler
Subject: Issue with App affinity session on was cluster active/active

Hello Ahmed,
please see this link for more details on the SSLC0008E message. I.e the SSLC0008E seems to be caused by an HTTP request being sent to an SSL enabled port. Unlikely that this is related to your problem.

Regarding your problem it seems that you have an issue with session affinity and/or the LTPA cookie. Is HTTP session persistence enabled? As you describe the probleme it seems that session affinity is not obeyed by the load-balancer and that requests are routed to the alternate cluster member.

Are you sure that it's the missing LtpaToken causing the re-login or is it probably because of the missing HTTP Session data? If you'd setup HTTP servers with the WAS Plugin (and load balance to these HTTP servers)  the WAS plug-in would take care of the session affinity.

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
#IBMChampion

Original Message:
Sent: Tue June 16, 2020 10:59 AM
From: Ahmed Alsareti
Subject: Issue with App affinity session on was cluster active/active

Hi All,
Our environment details 
OS: Oracle Linux 7.3
WAS: 8.5.5.14fp14
Dmg01
Cluster with 2 members (fnae01,fnae02)
Hardware load balancer in front of the cluster with no http or proxy used. Supposedly sticky session configured 
Scenarios 
1- if we connect to the App directly to one of the cluster the members all work fine.
Browsing, uploading, downloading...etc
2- if we connect to the App through the LB with one of the node(member) down, only one member up the other is down for the sake of testing , also all test services work fine 
Browsing, uploading, downloading...etc

3- If both of the cluster members up and when we login we can login successfully but when we tried to do any other services it force us to re-login and so on.
It seem that sticky session / affinity session not working

The only error we found in both cluster members is :
SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?


Note we are connecting on http port 9080

------------------------------
Ahmed
alssarty@yahoo.com
------------------------------

Hello Hermann,
"Hardware load balancer in front of the cluster with no http or proxy used"
so this means that you are not using the WAS plugin - right?
right not using plugin.
How is stickiness configured there?
on H/W LB
Based on what does the LB maintain stickiness?
A10 LB Support Sticky Session. 
You mentioned that you enabled session cookies - but did you also configure session persistence under distributed settings?
No , We didn't configure session persistence.
You mentioned that you attached a .har file but unfortunately I can't find it. Can you try again please?
Attached again

------------------------------
Ahmed
alssarty@yahoo.com
------------------------------

Original Message:
Sent: Wed June 24, 2020 08:19 AM
From: Hermann Huebler
Subject: Issue with App affinity session on was cluster active/active

Hello Ahmed,
just read again thru your original post where you stated: "Hardware load balancer in front of the cluster with no http or proxy used" so this means that you are not using the WAS plugin - right? How is stickiness configured there? Based on what does the LB maintain stickiness?

You mentioned that you enabled session cookies - but did you also configure session persistence under distributed settings?

You mentioned that you attached a .har file but unfortunately I can't find it. Can you try again please?

Thanks - Hermann

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
#IBMChampion

Original Message:
Sent: Wed June 24, 2020 05:51 AM
From: Ahmed Alsareti
Subject: Issue with App affinity session on was cluster active/active

Hi Hermann Huebler,
Thank you for your reply, 
Actually we did All configuration required from the server/application side

- enabled cookies
- affinity session 

there is no indication it's from our side, 
I am attaching the HAR file if you have time to take a look.

------------------------------
Ahmed
alssarty@yahoo.com

Original Message:
Sent: Wed June 17, 2020 03:31 AM
From: Hermann Huebler
Subject: Issue with App affinity session on was cluster active/active

Hello Ahmed,
please see this link for more details on the SSLC0008E message. I.e the SSLC0008E seems to be caused by an HTTP request being sent to an SSL enabled port. Unlikely that this is related to your problem.

Regarding your problem it seems that you have an issue with session affinity and/or the LTPA cookie. Is HTTP session persistence enabled? As you describe the probleme it seems that session affinity is not obeyed by the load-balancer and that requests are routed to the alternate cluster member.

Are you sure that it's the missing LtpaToken causing the re-login or is it probably because of the missing HTTP Session data? If you'd setup HTTP servers with the WAS Plugin (and load balance to these HTTP servers)  the WAS plug-in would take care of the session affinity.

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
#IBMChampion

Original Message:
Sent: Tue June 16, 2020 10:59 AM
From: Ahmed Alsareti
Subject: Issue with App affinity session on was cluster active/active

Hi All,
Our environment details 
OS: Oracle Linux 7.3
WAS: 8.5.5.14fp14
Dmg01
Cluster with 2 members (fnae01,fnae02)
Hardware load balancer in front of the cluster with no http or proxy used. Supposedly sticky session configured 
Scenarios 
1- if we connect to the App directly to one of the cluster the members all work fine.
Browsing, uploading, downloading...etc
2- if we connect to the App through the LB with one of the node(member) down, only one member up the other is down for the sake of testing , also all test services work fine 
Browsing, uploading, downloading...etc

3- If both of the cluster members up and when we login we can login successfully but when we tried to do any other services it force us to re-login and so on.
It seem that sticky session / affinity session not working

The only error we found in both cluster members is :
SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?


Note we are connecting on http port 9080

------------------------------
Ahmed
alssarty@yahoo.com
------------------------------

Hello Ahmed,
thanks for uploading the .har file. However this seems to contain a test case when you access the cluster member directly as all requests go to port 9080.  So I'm afraid this does not show the issue as you've stated that in this case all works.

I've checked the A10 documentation and there are multiple ways to configure stickiness it seems. Which one are you using?

What do you exactly mean by saying "but when we tried to do any other services it force us to re-login and so on."? Please can you explain that in a bit more detail? Can this be because the session data are missing .. or what are potential causes for that behavior?

What you can do now is the following:

1. To verify stickiness configure the HTTP access log for each cluster member so that you can verify which cluster member gets which request.  Make sure to configure the proper accessLogFormat custom property to include the interesting headers like Set-Cookie, Cookie etc. See http://www-01.ibm.com/support/docview.wss?uid=swg1PM46717 and https://www.ibm.com/support/knowledgecenter/en/SSEQTP_9.0.0/com.ibm.websphere.base.doc/ae/ttrb_access_logging.html for more details.
2. Configure session persistence (assuming the application supports that by adding only serializable   objects to the session) so that no matter which cluster member gets the request the session data is available.

Thanks - Hermann

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
------------------------------

Original Message:
Sent: Wed June 24, 2020 09:06 AM
From: Ahmed Alsareti
Subject: Issue with App affinity session on was cluster active/active

Hello Hermann,
"Hardware load balancer in front of the cluster with no http or proxy used"
so this means that you are not using the WAS plugin - right?
right not using plugin.
How is stickiness configured there?
on H/W LB
Based on what does the LB maintain stickiness?
A10 LB Support Sticky Session. 
You mentioned that you enabled session cookies - but did you also configure session persistence under distributed settings?
No , We didn't configure session persistence.
You mentioned that you attached a .har file but unfortunately I can't find it. Can you try again please?
Attached again

------------------------------
Ahmed
alssarty@yahoo.com

Original Message:
Sent: Wed June 24, 2020 08:19 AM
From: Hermann Huebler
Subject: Issue with App affinity session on was cluster active/active

Hello Ahmed,
just read again thru your original post where you stated: "Hardware load balancer in front of the cluster with no http or proxy used" so this means that you are not using the WAS plugin - right? How is stickiness configured there? Based on what does the LB maintain stickiness?

You mentioned that you enabled session cookies - but did you also configure session persistence under distributed settings?

You mentioned that you attached a .har file but unfortunately I can't find it. Can you try again please?

Thanks - Hermann

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
#IBMChampion

Original Message:
Sent: Wed June 24, 2020 05:51 AM
From: Ahmed Alsareti
Subject: Issue with App affinity session on was cluster active/active

Hi Hermann Huebler,
Thank you for your reply, 
Actually we did All configuration required from the server/application side

- enabled cookies
- affinity session 

there is no indication it's from our side, 
I am attaching the HAR file if you have time to take a look.

------------------------------
Ahmed
alssarty@yahoo.com

Original Message:
Sent: Wed June 17, 2020 03:31 AM
From: Hermann Huebler
Subject: Issue with App affinity session on was cluster active/active

Hello Ahmed,
please see this link for more details on the SSLC0008E message. I.e the SSLC0008E seems to be caused by an HTTP request being sent to an SSL enabled port. Unlikely that this is related to your problem.

Regarding your problem it seems that you have an issue with session affinity and/or the LTPA cookie. Is HTTP session persistence enabled? As you describe the probleme it seems that session affinity is not obeyed by the load-balancer and that requests are routed to the alternate cluster member.

Are you sure that it's the missing LtpaToken causing the re-login or is it probably because of the missing HTTP Session data? If you'd setup HTTP servers with the WAS Plugin (and load balance to these HTTP servers)  the WAS plug-in would take care of the session affinity.

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
#IBMChampion

Original Message:
Sent: Tue June 16, 2020 10:59 AM
From: Ahmed Alsareti
Subject: Issue with App affinity session on was cluster active/active

Hi All,
Our environment details 
OS: Oracle Linux 7.3
WAS: 8.5.5.14fp14
Dmg01
Cluster with 2 members (fnae01,fnae02)
Hardware load balancer in front of the cluster with no http or proxy used. Supposedly sticky session configured 
Scenarios 
1- if we connect to the App directly to one of the cluster the members all work fine.
Browsing, uploading, downloading...etc
2- if we connect to the App through the LB with one of the node(member) down, only one member up the other is down for the sake of testing , also all test services work fine 
Browsing, uploading, downloading...etc

3- If both of the cluster members up and when we login we can login successfully but when we tried to do any other services it force us to re-login and so on.
It seem that sticky session / affinity session not working

The only error we found in both cluster members is :
SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?


Note we are connecting on http port 9080

------------------------------
Ahmed
alssarty@yahoo.com
------------------------------