Today it was not possible to login to Qradar console and system was not responding any more.
After restart of hostcontext and tomcat we were able to login and find out that problem was most probably casued by blocked hanging session of one of our  users.
User Yesterday around 17:12 Closed session ( main browser windows with Qradar session opened) but did close some popup windows containing some qradar apps like Log Source management or search windows.
And from that moment we see alot of User logins what stopped 7:57 PM when user suspend PC.
Why Qradar did't stop session even main window was stopped?
Why Qradar opened so many sessions for 1 User and continued to open several new sessions per second?
Why Whole system was blocked?

BR
Jan

When you clear the Tomcat cache, it expires all sessions for all users. This is why you cannot use the QRadar UI when a Tomcat is restarted as all sessions become invalid and all users are logged out. You did not mention what QRadar version you are on, but there is a chance that the sessions are not being cleared if you are experiencing "The maximum number of sessions on this system has been reached." messages. 

If the ExpiredUserSessionInvalidator thread is not cleaning up expired sessions properly, then the sessions can hit a max limit and prevent further sessions from being created. It is really hard to tell without logs though or more information to determine of this is actually a session issue or Tomcat behaving in a strange way. I think that if you see this again, you'll want to get logs or have QRadar Support investigate further or if you have logs, we can look at the current state of the system.

You can check the sessions for users by name (Or their authorized service token) with the following command: 

psql -U qradar -c 'select actor_label, count(*) from user_sessions group by actor_label;'

The output provides a list of current sessions and the user name. For example, if I open multiple sessions across browsers as 'admin', you'll see the count increasing by user name. 

     actor_label      | count
----------------------+-------
aql_test_token       |     1
configservices       |     2
 admin                |     3
 Test_Token           |     1
(4 rows)

I do not think what you saw is common, but it might be possible that the sessions that are either expiring or expired are not cleaned up. This could over time lead to issues where the system thinks there are too many concurrent sessions or you are hitting a max limit. If you have logs from the time frame where you experienced the issue, you could log a case for us to investigate. Optionally, you could monitor the issue to see if it occurs again. I will note that this might not even be a session time out issue as it is hard to tell without the full logs to investigate. 

Not sure there is an answer to this thread, but I hope this helped shed some light on what might have occurred. It is hard to diagnose this type of issue from a forum post, but I hope this is somewhat helpful or gives you an idea of how to handle the situation if you see it again. I think anytime you cannot log in to QRadar or the UI hangs for an extended period after a Tomcat restart, you likely want to get us (Support) involved. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------