Forum Discussion

FirR3WaLL_32591's avatar
FirR3WaLL_32591
Icon for Nimbostratus rankNimbostratus
Feb 19, 2018

JBOSS/Keycloak weird behaviour in 2 nodes setup

Hello,

 

First of all sorry for lack of information - not sure what details I need to include so I hope based on short description somebody will be able to ask some more question and when I will answer/provide extra info we can troubleshoot it together

 

I'm experiencing weird behaviour in my application how it works:

 

  • Customer visiting application.domain.com (JBOSS) , this is "floating webserver on F5" that got behind pool with 2 nodes. Persistence profile applied to it it's Cookie then Source Address
  • Application redirects client to sso.domain.com, this is another webserver on F5 (this time direct) that got again persistence profile Cookie then Source Addreess
  • User logins to SSO (It's basically JBOSS/Keycloak application) and getting sent back to application.domain.com if AUTH was succesfull

It was for 50% of a time. Problem is that my application.domain.com contains 2 JBOSS instances in standalone mode - they are not sharing session database so I need to make sure that whatever node I landed initially on, I will came back after my SSO finish AUTH and redirects me back.

 

So I need to land on the same node that I was redirected to SSO. Very often our users experience the issue when they are getting redirected to SSO from when hitting initially NODE1, then after getting redirected back I can see they are trying to hit NODE2 - NODE2 is not aware of the session ... and user getting permission denied.

 

I know that this is the problem as I can see error messages on second node (session not recognised) and disabling one of the cluster members fixing the issue.

 

Can somebody please advise what details I need to provide to troubleshoot this issue (pcap, some tmsh command results etc.) or maybe based on my description we already can figure out what is going on there?

 

Just to confirm by direct VS I mean that my SSO webserver is configured to listen directly on port 443 on public IP address. Application is exposed by a "floating VS" concept that we are using so:

 

  • I've got primary VS for domain.com listening on external IP and port 443
  • This server does not have any default Pool or persistence profile. Server got attached POlicy that based on Host Header Forwarding traffic to "floating VS"
  • Floating VS is server configured to not listen on any interfaces and got set up as default pool my application pool (2 jboss containers).

Many thanks Dariusz

 

application delivery
LTM
No RepliesBe the first to reply