We're running ActiveMQ 4.1.1 for data transfer with, currently, about 6
remote clients. We recently started getting our server scanned by ScanAlert
to get the HackerSafe logo on our web site. When they run scans against the
ActiveMQ SSL port, it causes some of the client connections with the same
port to hang until they apparently time out. Since they run in failover
mode, we're not seeing connection error messages in the client logs, but are
seeing processing problems because some Quartz-timed jobs are overlapping
when they shouldn't, due to the connections hanging.
The messages we see in the broker log from the ScanAlert connect attempts
that produce this problem happen every 15 seconds, and look like:
2008-04-07 10:34:53,879 [localhost:61617] ERROR TransportConnector
- Could not accept connection from /209.67.114.
42:48658: java.io.IOException: Wire format negociation timeout: peer did not
send his wire format.
java.io.IOException: Wire format negociation timeout: peer did not send his
wire format.
at
org.apache.activemq.transport.WireFormatNegotiator.oneway(WireFormatNegotiator.java:88)
at
org.apache.activemq.transport.MutexTransport.oneway(MutexTransport.java:47)
at
org.apache.activemq.broker.TransportConnection.dispatch(TransportConnection.java:1138)
at
org.apache.activemq.broker.TransportConnection.processDispatch(TransportConnection.java:805)
at
org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:885)
at
org.apache.activemq.broker.TransportConnector$1.onAccept(TransportConnector.java:148)
at
org.apache.activemq.transport.tcp.TcpTransportServer.run(TcpTransportServer.java:167)
at java.lang.Thread.run(Thread.java:595)
In trying to duplicate this, I've run a test hitting the broker twice a
second with TCP requests on the SSL port, and when I look at the broker
through JMX well after the testing is done, a lot of those bad connection
attempts show up as connected but not active, with the ConnectionId as
"Unavailable." So, it looks like bad connection attempts aren't being
entirely disposed of right away. Is there any configuration I can do at the
broker level so that bad connections time out quickly and are removed from
memory? Or does anyone have any other suggestions for making the broker
less vulnerable to connection attempts like ScanAlert is doing? Thanks!
--
View this message in context:
http://www.nabble.com/HackerSafe-Scan-Hangs-Connections-tp16538819s2354p16538819.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
