We have a strange situation we are trying to solve. In looking at a set of messages traveling through our datapower appliances, we noticed some messages were duplicates. Further research indicated a link between messages containing a Basic Authentication header and messages not containing one.
When the message contains a BA header, we get 2 otherwise identical requests, one containing the BA header, one without. When we send the message without the BA header, we get just one request without a BA header.
However, with all of that said, when we configure DataPower without a AAA action, and we send a message containing a BA header, we get only one message that does not contain the BA header.
To eliminate things like auto load balancing and other things we thought might cause this, in controlled tests, we sent messages from SoapUI directly to a single DataPower appliance within the same subnet. That is, there is nothing in between them that would .
Our controlled test involved a simple WSP listening on port 80. In one test, it was configured with a simple AAA action. Debug probe is on. When hit with a single message, we actually saw 2 messages come through. One contained the BA header, the other did not. Then we took out the AAA action and sent the exact same message, once with a BA header, once without. Everything was normal when we sent the message without the BA header. However, when we sent the message with the BA header, DataPower received a single message that did not contain the BA header.
It is difficult to tell, but we think that in every case where a AAA action exists we are getting a duplicate, even when Basic Authentication is not at play. That is, we have several WSPs that handle AAA on SAML signatures. When we watch debug probes on those services, we always get a message count modulo 2. The traffic is too fast to be 100% certain though.
Message | With BA | W/O BA =============|==================|================== With AAA | 2, 1 w - 1 w/o BA| 1 message w/o BA =============|==================|================== Without AAA | 1 message w/o BA | 1 message w/o BA
It is almost as if when DataPower receives a message containing a BA header and a AAA policy exists, it is looping back through the original network path. The reason I add this is because we originally caught the problem in a pass-through MPG configured in appliances load balanced by an F5 in the DMZ. These appliances forward to WSPs configured in a set of AO balanced appliances in our trusted network. When we route the test through the DMZ, we still get 2 messages through the DMZ appliances.
Does anyone have any ideas what may be causing this?