Guest

Preview Tool

Cisco Bug: CSCus40821 - LDAP issues cause performance loss if LDAP connection pooling enabled

Last Modified

Jun 08, 2016

Products (1)

  • Cisco Cloud Web Security

Known Affected Releases

3.0(1.7) 3.0(1.9)

Description (partial)

Symptom:
CWS Standalone Connector performance degradation while LDAP connection errors exist and ldap connection pooling is enabled.

Conditions:
CWS Standalone Connector is unable to connect to the LDAP server and ldap.connection.pooling.enabled=true is set in the agent.properties file.


Example LDAP errors from a connector.log :
--------------------------
19-12-2014 14:05:38,653 [HttpProxyServer-thread-409]  INFO ye - Schema: ntlm found in header: Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
19-12-2014 14:05:38,653 [HttpProxyServer-thread-409]  INFO ye - Schema: ntlm found in header: Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAYABgBwAAAACQAJAHYAAAAAAAAAfwAAAAAAAAAAAAAAAgIAAHt4swknfUQLM9iiT7Z0Vl/tGD5VUz6FcXjJ6n03VGIo7KC3irXf0FVJJivFrReuLlNUUkVTU2FkbWluNDE3NA==
19-12-2014 14:05:38,653 [HttpProxyServer-thread-409] DEBUG ig - Do action called
19-12-2014 14:05:38,653 [HttpProxyServer-thread-409] DEBUG ig - Resource succeeded xf{10.10.1.8:8080,plain}
19-12-2014 14:05:38,653 [HttpProxyServer-thread-409] DEBUG ig - Do action called
19-12-2014 15:38:11,093 [HttpProxyServer-thread-409] ERROR ag - AD LDAP resource failed: ldap://10.10.1.100:3268, Principal=cn=administrator,cn=users,dc=stress,dc=local
19-12-2014 15:38:11,093 [HttpProxyServer-thread-409] ERROR ag - LDAP Error Cause: connect timed out
19-12-2014 15:38:11,093 [HttpProxyServer-thread-409] DEBUG ig - Resource failed. Retrying
l: AD LDAP resource failed: ldap://10.10.1.100:3268, Principal=cn=administrator,cn=users,dc=stress,dc=local
	at ag.a(Unknown Source)
	at ag.a(Unknown Source)
	at ig.a(Unknown Source)
	at u.a(Unknown Source)
	at nb.a(Unknown Source)
	at nb.c(Unknown Source)
	at sb.d(Unknown Source)
	at kb.b(Unknown Source)
	at af.e(Unknown Source)
	at af.b(Unknown Source)
	at af.a(Unknown Source)
	at zd.a(Unknown Source)
	at we.a(Unknown Source)
	at hd.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
19-12-2014 15:58:23,415 [HttpProxyServer-thread-409] ERROR ag - AD LDAP resource failed: ldap://10.10.1.100:3268, Principal=cn=administrator,cn=users,dc=stress,dc=local
19-12-2014 15:58:23,415 [HttpProxyServer-thread-409] ERROR ag - LDAP Error Cause: connect timed out
19-12-2014 15:58:23,415 [HttpProxyServer-thread-409] DEBUG ig - Resource failed. Retrying
l: AD LDAP resource failed: ldap://10.10.1.100:3268, Principal=cn=administrator,cn=users,dc=stress,dc=local
	at ag.a(Unknown Source)
	at ag.a(Unknown Source)
	at ig.a(Unknown Source)
	at u.a(Unknown Source)
	at nb.a(Unknown Source)
	at nb.c(Unknown Source)
	at sb.d(Unknown Source)
	at kb.b(Unknown Source)
	at af.e(Unknown Source)
	at af.b(Unknown Source)
	at af.a(Unknown Source)
	at zd.a(Unknown Source)
	at we.a(Unknown Source)
	at hd.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
19-12-2014 17:07:00,409 [HttpProxyServer-thread-409] ERROR ag - AD LDAP resource failed: ldap://10.10.1.100:3268, Principal=cn=administrator,cn=users,dc=stress,dc=local
19-12-2014 17:07:00,409 [HttpProxyServer-thread-409] ERROR ag - LDAP Error Cause: connect timed out
19-12-2014 17:07:00,409 [HttpProxyServer-thread-409] DEBUG ig - Resource failed ag{ldap://10.10.1.100:3268, Principal=cn=administrator,cn=users,dc=stress,dc=local}
19-12-2014 17:07:00,409 [HttpProxyServer-thread-409] DEBUG ig - Resource failed gracefully with:
javax.naming.CommunicationException: 10.10.1.100:3268 [Root exception is java.net.SocketTimeoutException: connect timed out]
	at com.sun.jndi.ldap.Connection.<init>(Unknown Source)
	at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source)
	at com.sun.jndi.ldap.LdapClientFactory.createPooledConnection(Unknown Source)
	at com.sun.jndi.ldap.pool.Connections.<init>(Unknown Source)
	at com.sun.jndi.ldap.pool.Pool.getPooledConnection(Unknown Source)
	at com.sun.jndi.ldap.LdapPoolManager.getLdapClient(Unknown Source)
	at com.sun.jndi.ldap.LdapClient.getInstance(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
	at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
	at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
	at javax.naming.InitialContext.init(Unknown Source)
	at javax.naming.InitialContext.<init>(Unknown Source)
	at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
	at ag.a(Unknown Source)
	at ag.a(Unknown Source)
	at ig.a(Unknown Source)
	at u.a(Unknown Source)
	at nb.a(Unknown Source)
	at nb.c(Unknown Source)
	at sb.d(Unknown Source)
	at kb.b(Unknown Source)
	at af.e(Unknown Source)
	at af.b(Unknown Source)
	at af.a(Unknown Source)
	at zd.a(Unknown Source)
	at we.a(Unknown Source)
	at hd.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: java.net.SocketTimeoutException: connect timed out
	at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)
	at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
	at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
	at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
	at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
	at java.net.PlainSocketImpl.connect(Unknown Source)
	at java.net.SocksSocketImpl.connect(Unknown Source)
	at java.net.Socket.connect(Unknown Source)
	at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at com.sun.jndi.ldap.Connection.createSocket(Unknown Source)
	... 35 more
19-12-2014 17:07:00,409 [HttpProxyServer-thread-409] DEBUG ig - No resources, throwing exception
19-12-2014 17:07:00,409 [HttpProxyServer-thread-409] ERROR u - Unable to bind to LDAP Provider. No available resources were found.
19-12-2014 17:07:00,409 [HttpProxyServer-thread-409]  INFO nb - Can't query LDAP server as we don't have an LDAP context for the domain: STRESS. Will return an empty group list
19-12-2014 17:07:00,409 [HttpProxyServer-thread-409] DEBUG eh - 3DES Encryption took 0 ms
19-12-2014 17:07:00,409 [HttpProxyServer-thread-409]  INFO af - REQMOD : GET http://10.10.1.10/w1e32e4d6.47b16226:00000008/t03/_000024fe HTTP/1.1
19-12-2014 17:07:00,409 [HttpProxyServer-thread-409]  WARN yd - Statusline is null.  Requestline was: GET http://10.10.1.10/w1e32e4d6.47b16226:00000008/t03/_000024fe HTTP/1.1
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.