Re: [SunRay-Users] Shorting sunray network reconnect

Tue, 21 Feb 2012 12:26:44 -0800 

 Craig:
The default settings in the DTU for IKE lifetime and IPsec lifetime is 28800 (28800 secs = 8 hrs) . If I understand your response you are stating : 1) The gateway IPSec timeout should be less then or equal to the DTU IPSec time out. 2) The sunray will drop if the gateway vpn-session-timeout is set. 3) The DTU will drop if the if either the IKE lifetime or IPsec lifetime is reached. 

Thanks
Steve


On 02/19/12 15:39, [email protected] wrote:

Send SunRay-Users mailing list submissions to
         [email protected]

To subscribe or unsubscribe via the World Wide Web, visit
         http://www.filibeto.org/mailman/listinfo/sunray-users
or, via email, send a message with subject or body 'help' to
         [email protected]

You can reach the person managing the list at
         [email protected]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of SunRay-Users digest..."


Today's Topics:

    1. Re: Shorting sunray network reconnect (Craig Bender)
    2. Re: KA_WARNINGs (Art Peck)


----------------------------------------------------------------------

Message: 1
Date: Sun, 19 Feb 2012 11:12:33 -0800
From: Craig Bender<[email protected]>
To: [email protected]
Subject: Re: [SunRay-Users] Shorting sunray network reconnect
Message-ID:<[email protected]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi Steve,

Do you have a single VPN concentrator or multiple?  If multiple, have
you compared the access and port rules between?  The problem you
describe could also be port not being allowed or access from/to not
being allowed.

On 2/19/12 10:55 AM, Steven Gelsie wrote:

Thanks for the replies. I agree with you, I rather not have the network
disconnects in the first place.

We are also using sunrays (DTU) on our internal network and I not aware
of any network drops. This seems to indicate the fail-over sunray
servers are communicating properly and the internal network is OK. That
being said there are times when remote sunray users get multiple session
( not connecting back to original session), which would indicate that
there is an issue with the communication between the sunray servers. I
always thought there was an issue between our VPN concentrator and the
sunray servers. I am current updating to the latest version (5.2.3) of
the sunray server in hopes it will resolve the issue but I uncertain it
will.

Steve

On 02/19/12 05:00, [email protected] wrote:

Send SunRay-Users mailing list submissions to
[email protected]

To subscribe or unsubscribe via the World Wide Web, visit
http://www.filibeto.org/mailman/listinfo/sunray-users
or, via email, send a message with subject or body 'help' to
[email protected]

You can reach the person managing the list at
[email protected]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of SunRay-Users digest..."


Today's Topics:

1. Re: Shorting sunray network reconnect (Arthurpeck)
2. Re: Shorting sunray network reconnect (Bob Doolittle)
3. Re: Shorting sunray network reconnect (Craig Bender)


----------------------------------------------------------------------

Message: 1
Date: Sat, 18 Feb 2012 07:32:21 -0700
From: Arthurpeck<[email protected]>
To: [email protected]
Subject: Re: [SunRay-Users] Shorting sunray network reconnect
Message-ID:<[email protected]>
Content-Type: text/plain; charset=us-ascii

If it's any consequence, I have DTUs reset for no apparent reason and
I'm not using VPN connections. I've seen things like one whole side of
a classroom, 8 seats, reset all at the same time. Fortunately, the
user's desktop is reconnected and they can usually resume working
after login.

Some of these resets we understand are probably faulty network wiring,
but that would not explain clusters of resets. So far, all I've been
able to do is crank up the logXXX= settings in the *.parms file. From
that, I have seen what I think is a high number of KA_WARNING entries.
I'm told that if the DTU loses 3 consecutive KA packets, it will reset
so that could be some of it.

Just a little note, don't assume that all DTU network traffic is UDP.
There is some TCP traffic as well. Look in the Installation Guide for
the table that shows ports and protocols.

Art

Sent from my iPhone

------------------------------

Message: 2
Date: Sat, 18 Feb 2012 11:43:40 -0500
From: Bob Doolittle<[email protected]>
To: SunRay-Users mailing list<[email protected]>
Subject: Re: [SunRay-Users] Shorting sunray network reconnect
Message-ID:<[email protected]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On 02/18/12 09:32, Arthurpeck wrote:

If it's any consequence, I have DTUs reset for no apparent reason and
I'm not using VPN connections. I've seen things like one whole side
of a classroom, 8 seats, reset all at the same time. Fortunately, the
user's desktop is reconnected and they can usually resume working
after login.

Some of these resets we understand are probably faulty network
wiring, but that would not explain clusters of resets.

Depending on your network topology, faulty network could easily
produce a cluster of resets.

For example, if you had an 8-port switch which had a faulty link
between it and the server.

You've probably looked into that already I imagine.

FWIW, in my experience it's far more likely to have a bad port on a
switch than a bad cable/wire. I've had a couple of experiences with
lightning that resulted in ports going bad.

-Bob


So far, all I've been able to do is crank up the logXXX= settings in
the *.parms file. From that, I have seen what I think is a high
number of KA_WARNING entries. I'm told that if the DTU loses 3
consecutive KA packets, it will reset so that could be some of it.

Just a little note, don't assume that all DTU network traffic is UDP.
There is some TCP traffic as well. Look in the Installation Guide for
the table that shows ports and protocols.

Art

Sent from my iPhone
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users


------------------------------

Message: 3
Date: Sat, 18 Feb 2012 10:43:22 -0800
From: Craig Bender<[email protected]>
To: [email protected]
Subject: Re: [SunRay-Users] Shorting sunray network reconnect
Message-ID:<[email protected]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

A few comments:

KA_Warning messages:

These are warnings that the expected Keep Alive packet wasn't received.
The Sun Ray expects a keepalive message from the server every 20
seconds. Miss three of those in a row for the same DTU and it will
reboot. Note that the server also expects the same from the Sun Ray
every 240 seconds.

While the knee jerk reaction to this would be a network problem, in my
experience it's usually due to server side issues caused by poorly
written kiosk scripts. The rationale for not pointing fingers at the
network is that the DTU has successfully sent the KA_WARNING messages
*and* syslog has logged them. That means packets are flowing over the
network and the server isn't hung.

A poorly Sun Ray Kiosk script that does things like invoke authd to
gather information can lead to these messages if authd gets too busy.

Remember that "TurboCAM" settings still apply when it comes to Kiosk
Mode and the changes to auth.props with regards to worker threads for
authd. The default of 8 just isn't enough in many, especially today,
when you can have a 300-500 Sun Rays on one server and they all start
their sessions/insert their cards around the same time.



LogXXX= key/value pairs:

You should see a lot of of messages, many of them useful, if you set
LogNet=7, some of them quite useful. 7 is the highest verbosity for the
LogXXX key/value pairs. I'll make sure we get the levels back in the
doc as they seemed to be missing.

Also, don't forget to set LogHost=<IP Address>  in the parms file as
well, otherwise the specification of just LogXXX= is useless.

Of course for a VPN connection, you won't see anything LogNet messages
after authentication (parms file read after auth + the loghost is
probably behind the VPN gateway). While it's not useful for
troubleshooting the VPN authentication process, you'll get a lot of very
useful information especially if your gateway is dropping due to
re-keying errors. Regardless, any messages that can be gathered if you
are experiencing sessions being dropped is better than just guessing.
Open a support call and provide them with the logs.


VPN connections and connection drops:

Let's say you've improperly set the Phase 1 (IKE Lifetime) or Phase Two
(IPSec Lifetime) values in the VPN config on the DTU. That's not going
to cause an error to be thrown on the gateway, the session will just
drop due to a normal expiration. I know this because I spent quite a
while trouble shooting remote Oracle Offices who kept dropping after 7
hours, even though they had 24 hours set of the various timer lifetimes.

Phase 2 needs to be much smaller than Phase 1, and in almost all cases,
Phase 2 should be set to lower than what the gateway has set as a Phase
2 limit. Note that this setting is in seconds. This ensures the DTU
will request a new encryption key before the gateway enforced setting
expires. Setting Phase 2 equal to the gateway settings is fine, but
higher is bad. That's a guaranteed dropped connection when the gateway
IPSec timer experies.

I know that some companies (Sun Microsystems...<cough>..<cough>) set the
timers on the Phase 1 and Phase 2 to be the same on the VPN gateway.
Though the troubleshooting previously mentioned, I've been educated on
what a poor security practice that is. IPSec is what does the actual
encryption and should be re-keyed more often than IKE.

Regardless of the IKE and IPSec timers, the Sun Ray will drop if
vpn-session-timeout is set. This is a VPN gateway side setting and is
expressed in minutes, so 1440 would mean you have a 1 day limit for a
connection.

Regards,

CB

On 2/18/12 8:43 AM, Bob Doolittle wrote:

On 02/18/12 09:32, Arthurpeck wrote:

If it's any consequence, I have DTUs reset for no apparent reason and
I'm not using VPN connections. I've seen things like one whole side of
a classroom, 8 seats, reset all at the same time. Fortunately, the
user's desktop is reconnected and they can usually resume working
after login.

Some of these resets we understand are probably faulty network wiring,
but that would not explain clusters of resets.

Depending on your network topology, faulty network could easily produce
a cluster of resets.

For example, if you had an 8-port switch which had a faulty link between
it and the server.

You've probably looked into that already I imagine.

FWIW, in my experience it's far more likely to have a bad port on a
switch than a bad cable/wire. I've had a couple of experiences with
lightning that resulted in ports going bad.

-Bob


So far, all I've been able to do is crank up the logXXX= settings in
the *.parms file. From that, I have seen what I think is a high number
of KA_WARNING entries. I'm told that if the DTU loses 3 consecutive KA
packets, it will reset so that could be some of it.

Just a little note, don't assume that all DTU network traffic is UDP.
There is some TCP traffic as well. Look in the Installation Guide for
the table that shows ports and protocols.

Art

Sent from my iPhone
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

------------------------------

_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users


End of SunRay-Users Digest, Vol 97, Issue 10
********************************************




------------------------------

Message: 2
Date: Sun, 19 Feb 2012 15:39:33 -0500
From: Art Peck<[email protected]>
To: SunRay-Users mailing list<[email protected]>
Subject: Re: [SunRay-Users] KA_WARNINGs
Message-ID:<[email protected]>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"

As far as the environmental variables are concerned, the datastore for
the fields you want are empty by default.

====================
Yep. My script checks for that and asks the Student what classroom and
seat are they in then uses utdesktop to update the SRDS. Shortens the
time it takes to locate a Student dramatically.
====================

   Which means you have to enter
the data, presumably because you want to act upon it.  If a hot desk
occurs, you'd have to re-query and reset because env variables are
static.  6-of-1, half a dozen of the other really.

====================
For our purposes, this isn't an issue.
====================

   I think supported "utinfo" utility is more of what your after, an easy
to use, and non-invasive (not to mention uniform) method to find a
variety of information that could be deemed useful to
administrators/kiosk users.  There is an RFE for this.

====================
DANG! I missed that memo big time! How do I get a look at the RFE?
====================

   We also have some location based features in beta right now that I'm sure 
you'll find
useful (FYI, there was just a webcast related to healthcare that covered
the upcoming location based awareness features)

====================
Thanks! I'll look around and see if the webcast is still available. Any clues?
====================

   That said, the point about poorly written kiosk scripts still applies.
For instance, you can query the location field and depending on the
switch you give utdesktop you will either involve authd, or you will be
making a harmless ldap query.  In almost all cases of the ut* commands
if you query only connected sessions, then you will be requiring authd
to get involved.  If you just list, then it's almost always an ldap
call.  If doubt and you have test system with few users, truss the authd
java process.  If truss starts spewing data when you run your ut* query,
then you are involving authd.

====================
My current script only uses utdesktop -p<SR_MAC>   with the output
parsed by nawk. In fact I just thought of a better way to use nawk
so I don't have to call utdesktop twice! Thanks for nudging me!
====================

   FWIW, support is not in the business of reviewing custom kiosk scripts.
    Oracle supports the kiosk framework and the ability for customers to
write their own script.  However, Oracle can't support the actual script
written by the customer (or the 3rd party programs they call) since they
weren't developed in manner that involves a formal release process (i.e.
tech and functional specs, QA, documentation, etc).  Not to mention the
proficiency with shell scripting varies greatly from customer to
customer.  I know I've caused more than my share of facepalms for the
likes of Otto, BobD, Kent, etc.

====================
Yep, I'm sure I'm sure I've done so many times.
====================

   If this sounds like an unreasonable
policy, it's exactly the support arrangement once would find with
Microsoft or Citrix with their power shells.

====================
Not unreasonable at all. It would be nice though if we could nurture
a "Kiosk Developers Community" through which we could support each other.
====================

   All that said, if the script can be sanitized, post it in the forum and I'll 
take a look.

====================
We'll have to do that offline. There's nothing classified, I just don't
feel like it's something I can post on such a large forum.
====================

Regarding the M4000, as beefy as they may be, all it takes is one of the
authd worker threads or something they interact with to be too busy at
the right time for certain things to fall apart.  Especially if you
needed that information to proceed in a script.  (This is why in most
kiosk environments, increasing the worker threads is a good idea).  Good
chance you wouldn't even see a blip on the overall system monitoring.

====================
32 worker threads if working fine. No negative impact. I'll re-visit the
blog to see if anything else might help.
====================


   -CB

--


Arthur H. Peck&  Associates, LLC
Cell Phone
         904-614-7902
         Skype
         904-638-5056
Email
         [email protected]
         Web
         http://artpeck.net


-------------- next part --------------
An HTML attachment was scrubbed...
URL:<http://www.filibeto.org/pipermail/sunray-users/attachments/20120219/e76635a2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: art-peck-logo-200.png
Type: image/png
Size: 12319 bytes
Desc: not available
URL:<http://www.filibeto.org/pipermail/sunray-users/attachments/20120219/e76635a2/attachment.png>

------------------------------

_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users


End of SunRay-Users Digest, Vol 97, Issue 12
********************************************



--
Steven Gelsie                   Email: [email protected]
Johns Hopkins Univ./APL         Phone: 240-228-4081   DC
11100 Johns Hopkins Rd                 443-778-4081   Baltimore
Laurel, MD  20723-6099          FAX:   240-228-6119
Work Schedule : Mon-Thurs  8:30AM-6PM
                Friday     Work At Home

_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users






















					Reply via email to