Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
4 replies Latest Post - ‏2012-11-30T21:32:08Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic Duplicate

‏2012-11-30T16:07:16Z |
Running XI52 with 5.0.0.3 firmware.

We have a strange situation we are trying to solve. In looking at a set of messages traveling through our datapower appliances, we noticed some messages were duplicates. Further research indicated a link between messages containing a Basic Authentication header and messages not containing one.

When the message contains a BA header, we get 2 otherwise identical requests, one containing the BA header, one without. When we send the message without the BA header, we get just one request without a BA header.

However, with all of that said, when we configure DataPower without a AAA action, and we send a message containing a BA header, we get only one message that does not contain the BA header.

To eliminate things like auto load balancing and other things we thought might cause this, in controlled tests, we sent messages from SoapUI directly to a single DataPower appliance within the same subnet. That is, there is nothing in between them that would .

Our controlled test involved a simple WSP listening on port 80. In one test, it was configured with a simple AAA action. Debug probe is on. When hit with a single message, we actually saw 2 messages come through. One contained the BA header, the other did not. Then we took out the AAA action and sent the exact same message, once with a BA header, once without. Everything was normal when we sent the message without the BA header. However, when we sent the message with the BA header, DataPower received a single message that did not contain the BA header.

It is difficult to tell, but we think that in every case where a AAA action exists we are getting a duplicate, even when Basic Authentication is not at play. That is, we have several WSPs that handle AAA on SAML signatures. When we watch debug probes on those services, we always get a message count modulo 2. The traffic is too fast to be 100% certain though.

In Summary:

Message      |      With BA     |      W/O BA =============|==================|================== With AAA     | 2, 1 w - 1 w/o BA| 1 message w/o BA =============|==================|================== Without AAA  | 1 message w/o BA | 1 message w/o BA


It is almost as if when DataPower receives a message containing a BA header and a AAA policy exists, it is looping back through the original network path. The reason I add this is because we originally caught the problem in a pass-through MPG configured in appliances load balanced by an F5 in the DMZ. These appliances forward to WSPs configured in a set of AO balanced appliances in our trusted network. When we route the test through the DMZ, we still get 2 messages through the DMZ appliances.

Does anyone have any ideas what may be causing this?
Updated on 2012-11-30T21:32:08Z at 2012-11-30T21:32:08Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Duplicate Messages when AAA Action configured on policy.

    ‏2012-11-30T16:31:17Z  in response to SystemAdmin
    Changed Subject *** Was concentrating on the message.
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: Duplicate Messages when AAA Action configured on policy.

      ‏2012-11-30T21:16:40Z  in response to SystemAdmin
      • Update. Rolled back firmware because we had recently upgraded it. No success. The appliance continues to see 2 messages when a AAA action is configured, one with the BA header, and one without.

      This has got to be some kind of problem.
      • SystemAdmin
        SystemAdmin
        6772 Posts
        ACCEPTED ANSWER

        Re: Duplicate Messages when AAA Action configured on policy.

        ‏2012-11-30T21:20:57Z  in response to SystemAdmin
        > JoeMorganNTST wrote:
        > *** Update. Rolled back firmware because we had recently upgraded it. No success. The appliance continues to see 2 messages when a AAA action is configured, one with the BA header, and one without.
        >
        > This has got to be some kind of problem.

        What firmware you were on? And rollback to which one?

        May be you should open the PMR ticket.
        • SystemAdmin
          SystemAdmin
          6772 Posts
          ACCEPTED ANSWER

          Re: Duplicate Messages when AAA Action configured on policy.

          ‏2012-11-30T21:32:08Z  in response to SystemAdmin
          We had 2 different firmware images at play. One set on 4.0.2.3, another set on 4.0.2.8. Upgraded all to 5.0.0.3.

          I simply rolled back the firmware on one of each set, and the behavior is identical.

          Filing the PMR now.