We have junction with backend as AWS elastic loadbalancer(elb) and it has three different IP's. It seems though the elb CNAME is randomly resolving to one of the three IP's (in less than a second). Due this WebSEAL is having hard time resolving to the right IP and throws DPWWA2025W/DPWWA2026W (the lost / regained contact with junction errors). We have hundreds of such junctions and hence out msg logs are flooded with these error messages., this is indeed a huge I/O traffic. Currently we have the dynamic-addresses-ttl = 60 as a global setting, but if we make to zero, meaning we are asking webseal to resolve a new IP address for every name resolution attempt. Is this going to cause any performance impact? But in general is this the best method to deal with this situation., We did think of haivng a per-junction value but that is a huge maintenance over head as we have hundreds of such junctions.

I understand the default value for ttl is zero (dynamic-addresses-ttl = 0) in webseal when we set dynamic-addresses = yes. All I want to know is if there would be huge the overhead on webseal and hence impact its performance if it keeps resolving to new IP for every connection it makes with backend.( we are on 9.0.7.2) Please advise, Thank you!
-Raj

------------------------------
Rajkumar
------------------------------

Original Message:
Sent: 3/13/2021 4:45:00 PM
From: Rajkumar Godi
Subject: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

We have junction with backend as AWS elastic loadbalancer(elb) and it has three different IP's. It seems though the elb CNAME is randomly resolving to one of the three IP's (in less than a second). Due this WebSEAL is having hard time resolving to the right IP and throws DPWWA2025W/DPWWA2026W (the lost / regained contact with junction errors). We have hundreds of such junctions and hence out msg logs are flooded with these error messages., this is indeed a huge I/O traffic. Currently we have the dynamic-addresses-ttl = 60 as a global setting, but if we make to zero, meaning we are asking webseal to resolve a new IP address for every name resolution attempt. Is this going to cause any performance impact? But in general is this the best method to deal with this situation., We did think of haivng a per-junction value but that is a huge maintenance over head as we have hundreds of such junctions.

I understand the default value for ttl is zero (dynamic-addresses-ttl = 0) in webseal when we set dynamic-addresses = yes. All I want to know is if there would be huge the overhead on webseal and hence impact its performance if it keeps resolving to new IP for every connection it makes with backend.( we are on 9.0.7.2) Please advise, Thank you!
-Raj

------------------------------
Rajkumar
------------------------------

Hi Scott, 

Thanks for your reply. You are right, in my case the the backend VIP is resolving to a CNAME with three different IP's and returns these IP's in a seemingly random pattern. The IP's are not changing or disappearing frequent basis but the order in which they appear is changing. For eg: when I nslookup the backend VIP- it gives me a CNAME with IP's - 170.x.x.1 , 170.x.x.2, 170.x.x.3. If I redo the lookup in the very next second, the Order of the IP's change - 170.x.x.3 , 170.x.x.1, 170.x.x.2.,
And so on, the IP's are always the same three but the order is changing. All the different backends resolve to the same CNAME with the same set of three IP's. Due to this WebSEAL is momentarily loosing contact with the backend and regains at the same time. In this case changing the dynamic-address-ttl value would not solve my problem. Do you have any advise on how this can be handled? 

------------------------------
Rajkumar
------------------------------

Original Message:
Sent: Sun March 14, 2021 04:16 PM
From: Scott Exton
Subject: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

Rajkumar,

 

From a performance perspective, if you change dynamic-address-ttl to 0 it means that on every request WebSEAL will need to call out to the DNS to resolve the server name before a connection is established to the junctioned server.  So, this is an extra network 'hop' on every single request.

 

Having said this, are you sure that the DNS is the issue in your environment?  It is possible for the DNS to resolve a single name to multiple addresses and return the addresses in a seemingly random pattern.  Changing the dynamic-address-ttl value would only help if the actual resolved IP address disappears/changes on a frequent basis - and if this is happening in your environment every second or so there are bigger issues to solve.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/13/2021 4:45:00 PM
From: Rajkumar Godi
Subject: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

We have junction with backend as AWS elastic loadbalancer(elb) and it has three different IP's. It seems though the elb CNAME is randomly resolving to one of the three IP's (in less than a second). Due this WebSEAL is having hard time resolving to the right IP and throws DPWWA2025W/DPWWA2026W (the lost / regained contact with junction errors). We have hundreds of such junctions and hence out msg logs are flooded with these error messages., this is indeed a huge I/O traffic. Currently we have the dynamic-addresses-ttl = 60 as a global setting, but if we make to zero, meaning we are asking webseal to resolve a new IP address for every name resolution attempt. Is this going to cause any performance impact? But in general is this the best method to deal with this situation., We did think of haivng a per-junction value but that is a huge maintenance over head as we have hundreds of such junctions.

I understand the default value for ttl is zero (dynamic-addresses-ttl = 0) in webseal when we set dynamic-addresses = yes. All I want to know is if there would be huge the overhead on webseal and hence impact its performance if it keeps resolving to new IP for every connection it makes with backend.( we are on 9.0.7.2) Please advise, Thank you!
-Raj

------------------------------
Rajkumar
------------------------------

Original Message:
Sent: 3/14/2021 7:39:00 PM
From: Rajkumar Godi
Subject: RE: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

Hi Scott, 

Thanks for your reply. You are right, in my case the the backend VIP is resolving to a CNAME with three different IP's and returns these IP's in a seemingly random pattern. The IP's are not changing or disappearing frequent basis but the order in which they appear is changing. For eg: when I nslookup the backend VIP- it gives me a CNAME with IP's - 170.x.x.1 , 170.x.x.2, 170.x.x.3. If I redo the lookup in the very next second, the Order of the IP's change - 170.x.x.3 , 170.x.x.1, 170.x.x.2.,
And so on, the IP's are always the same three but the order is changing. All the different backends resolve to the same CNAME with the same set of three IP's. Due to this WebSEAL is momentarily loosing contact with the backend and regains at the same time. In this case changing the dynamic-address-ttl value would not solve my problem. Do you have any advise on how this can be handled? 

------------------------------
Rajkumar
------------------------------

Original Message:
Sent: Sun March 14, 2021 04:16 PM
From: Scott Exton
Subject: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

Rajkumar,

 

From a performance perspective, if you change dynamic-address-ttl to 0 it means that on every request WebSEAL will need to call out to the DNS to resolve the server name before a connection is established to the junctioned server.  So, this is an extra network 'hop' on every single request.

 

Having said this, are you sure that the DNS is the issue in your environment?  It is possible for the DNS to resolve a single name to multiple addresses and return the addresses in a seemingly random pattern.  Changing the dynamic-address-ttl value would only help if the actual resolved IP address disappears/changes on a frequent basis - and if this is happening in your environment every second or so there are bigger issues to solve.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/13/2021 4:45:00 PM
From: Rajkumar Godi
Subject: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

We have junction with backend as AWS elastic loadbalancer(elb) and it has three different IP's. It seems though the elb CNAME is randomly resolving to one of the three IP's (in less than a second). Due this WebSEAL is having hard time resolving to the right IP and throws DPWWA2025W/DPWWA2026W (the lost / regained contact with junction errors). We have hundreds of such junctions and hence out msg logs are flooded with these error messages., this is indeed a huge I/O traffic. Currently we have the dynamic-addresses-ttl = 60 as a global setting, but if we make to zero, meaning we are asking webseal to resolve a new IP address for every name resolution attempt. Is this going to cause any performance impact? But in general is this the best method to deal with this situation., We did think of haivng a per-junction value but that is a huge maintenance over head as we have hundreds of such junctions.

I understand the default value for ttl is zero (dynamic-addresses-ttl = 0) in webseal when we set dynamic-addresses = yes. All I want to know is if there would be huge the overhead on webseal and hence impact its performance if it keeps resolving to new IP for every connection it makes with backend.( we are on 9.0.7.2) Please advise, Thank you!
-Raj

------------------------------
Rajkumar
------------------------------

Let us say for an initial connection - webseal resolves the backend VIP1 to IP - 170.x.x.1 (it is in cache for 60 seconds as my currently dynamic-address-ttl=60), by the time a subsequent connection is made the backend IP changes to 170.x.x.2 or 170.x.x.3 , these two address are not yet in cache and hence the junction status change to "NOT RUNNING" and results in a lost contact error. I don't know what it is but , I am just thinking out loud. Even if all three different IP's are in cache, does webseal still try to connect to the first IP it resolved to with its initial request? 
Like I said, I have multiple junctions with VIP2, VIP3 and so on, and all of these VIP's resolve to the same three IP's. If all these junction are accessed simultaneously, I would assume - all the three IP's would be available in cache at some point and webSEAL should be able to identify it on the backend.
It could also be a network related issue with the cloud backend. Below link contains a similar issue is posted by another user some time ago., he also seem to have it with aws backend. 

https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=48e38e9b-4ce8-4fd1-8433-6a5f4d069e76&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&tab=digestviewer#bm48e38e9b-4ce8-4fd1-8433-6a5f4d069e76

------------------------------
Rajkumar
------------------------------

Original Message:
Sent: Sun March 14, 2021 10:01 PM
From: Scott Exton
Subject: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

Rajkumar,

 

I fail to see why the DNS, if it always resolves to a valid server address, would cause WebSEAL to lose connectivity to the server.  It sounds like there is some other network related issue in your environment.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/14/2021 7:39:00 PM
From: Rajkumar Godi
Subject: RE: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

Hi Scott, 

Thanks for your reply. You are right, in my case the the backend VIP is resolving to a CNAME with three different IP's and returns these IP's in a seemingly random pattern. The IP's are not changing or disappearing frequent basis but the order in which they appear is changing. For eg: when I nslookup the backend VIP- it gives me a CNAME with IP's - 170.x.x.1 , 170.x.x.2, 170.x.x.3. If I redo the lookup in the very next second, the Order of the IP's change - 170.x.x.3 , 170.x.x.1, 170.x.x.2.,
And so on, the IP's are always the same three but the order is changing. All the different backends resolve to the same CNAME with the same set of three IP's. Due to this WebSEAL is momentarily loosing contact with the backend and regains at the same time. In this case changing the dynamic-address-ttl value would not solve my problem. Do you have any advise on how this can be handled? 

------------------------------
Rajkumar

Original Message:
Sent: Sun March 14, 2021 04:16 PM
From: Scott Exton
Subject: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

Rajkumar,

 

From a performance perspective, if you change dynamic-address-ttl to 0 it means that on every request WebSEAL will need to call out to the DNS to resolve the server name before a connection is established to the junctioned server.  So, this is an extra network 'hop' on every single request.

 

Having said this, are you sure that the DNS is the issue in your environment?  It is possible for the DNS to resolve a single name to multiple addresses and return the addresses in a seemingly random pattern.  Changing the dynamic-address-ttl value would only help if the actual resolved IP address disappears/changes on a frequent basis - and if this is happening in your environment every second or so there are bigger issues to solve.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/13/2021 4:45:00 PM
From: Rajkumar Godi
Subject: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

We have junction with backend as AWS elastic loadbalancer(elb) and it has three different IP's. It seems though the elb CNAME is randomly resolving to one of the three IP's (in less than a second). Due this WebSEAL is having hard time resolving to the right IP and throws DPWWA2025W/DPWWA2026W (the lost / regained contact with junction errors). We have hundreds of such junctions and hence out msg logs are flooded with these error messages., this is indeed a huge I/O traffic. Currently we have the dynamic-addresses-ttl = 60 as a global setting, but if we make to zero, meaning we are asking webseal to resolve a new IP address for every name resolution attempt. Is this going to cause any performance impact? But in general is this the best method to deal with this situation., We did think of haivng a per-junction value but that is a huge maintenance over head as we have hundreds of such junctions.

I understand the default value for ttl is zero (dynamic-addresses-ttl = 0) in webseal when we set dynamic-addresses = yes. All I want to know is if there would be huge the overhead on webseal and hence impact its performance if it keeps resolving to new IP for every connection it makes with backend.( we are on 9.0.7.2) Please advise, Thank you!
-Raj

------------------------------
Rajkumar
------------------------------

Original Message:
Sent: 3/15/2021 7:36:00 PM
From: Rajkumar Godi
Subject: RE: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

Let us say for an initial connection - webseal resolves the backend VIP1 to IP - 170.x.x.1 (it is in cache for 60 seconds as my currently dynamic-address-ttl=60), by the time a subsequent connection is made the backend IP changes to 170.x.x.2 or 170.x.x.3 , these two address are not yet in cache and hence the junction status change to "NOT RUNNING" and results in a lost contact error. I don't know what it is but , I am just thinking out loud. Even if all three different IP's are in cache, does webseal still try to connect to the first IP it resolved to with its initial request? 
Like I said, I have multiple junctions with VIP2, VIP3 and so on, and all of these VIP's resolve to the same three IP's. If all these junction are accessed simultaneously, I would assume - all the three IP's would be available in cache at some point and webSEAL should be able to identify it on the backend.
It could also be a network related issue with the cloud backend. Below link contains a similar issue is posted by another user some time ago., he also seem to have it with aws backend. 

https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=48e38e9b-4ce8-4fd1-8433-6a5f4d069e76&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&tab=digestviewer#bm48e38e9b-4ce8-4fd1-8433-6a5f4d069e76

------------------------------
Rajkumar
------------------------------

Original Message:
Sent: Sun March 14, 2021 10:01 PM
From: Scott Exton
Subject: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

Rajkumar,

 

I fail to see why the DNS, if it always resolves to a valid server address, would cause WebSEAL to lose connectivity to the server.  It sounds like there is some other network related issue in your environment.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/14/2021 7:39:00 PM
From: Rajkumar Godi
Subject: RE: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

Hi Scott, 

Thanks for your reply. You are right, in my case the the backend VIP is resolving to a CNAME with three different IP's and returns these IP's in a seemingly random pattern. The IP's are not changing or disappearing frequent basis but the order in which they appear is changing. For eg: when I nslookup the backend VIP- it gives me a CNAME with IP's - 170.x.x.1 , 170.x.x.2, 170.x.x.3. If I redo the lookup in the very next second, the Order of the IP's change - 170.x.x.3 , 170.x.x.1, 170.x.x.2.,
And so on, the IP's are always the same three but the order is changing. All the different backends resolve to the same CNAME with the same set of three IP's. Due to this WebSEAL is momentarily loosing contact with the backend and regains at the same time. In this case changing the dynamic-address-ttl value would not solve my problem. Do you have any advise on how this can be handled? 

------------------------------
Rajkumar

Original Message:
Sent: Sun March 14, 2021 04:16 PM
From: Scott Exton
Subject: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

Rajkumar,

 

From a performance perspective, if you change dynamic-address-ttl to 0 it means that on every request WebSEAL will need to call out to the DNS to resolve the server name before a connection is established to the junctioned server.  So, this is an extra network 'hop' on every single request.

 

Having said this, are you sure that the DNS is the issue in your environment?  It is possible for the DNS to resolve a single name to multiple addresses and return the addresses in a seemingly random pattern.  Changing the dynamic-address-ttl value would only help if the actual resolved IP address disappears/changes on a frequent basis - and if this is happening in your environment every second or so there are bigger issues to solve.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/13/2021 4:45:00 PM
From: Rajkumar Godi
Subject: Clearing WebSEAL DNS Cache - (dynamic-addresses-ttl = 0), any perfromance impact?

We have junction with backend as AWS elastic loadbalancer(elb) and it has three different IP's. It seems though the elb CNAME is randomly resolving to one of the three IP's (in less than a second). Due this WebSEAL is having hard time resolving to the right IP and throws DPWWA2025W/DPWWA2026W (the lost / regained contact with junction errors). We have hundreds of such junctions and hence out msg logs are flooded with these error messages., this is indeed a huge I/O traffic. Currently we have the dynamic-addresses-ttl = 60 as a global setting, but if we make to zero, meaning we are asking webseal to resolve a new IP address for every name resolution attempt. Is this going to cause any performance impact? But in general is this the best method to deal with this situation., We did think of haivng a per-junction value but that is a huge maintenance over head as we have hundreds of such junctions.

I understand the default value for ttl is zero (dynamic-addresses-ttl = 0) in webseal when we set dynamic-addresses = yes. All I want to know is if there would be huge the overhead on webseal and hence impact its performance if it keeps resolving to new IP for every connection it makes with backend.( we are on 9.0.7.2) Please advise, Thank you!
-Raj

------------------------------
Rajkumar
------------------------------