-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Raghav,
On 4/29/20 22:26, Ragavendhiran Bhiman (rabhiman) wrote:
> The below is the executer element.
>
> <Executor name="AdminExecutorPool" namePrefix="admin-http-pool"
> maxThreads="450" minSpareThreads="5"/>
>
> I also captured the network pcap and able to see many RST packets
> in between that is marked as RED in wireshark.
Okay, so far you have told us:
1. You are using Tomcat 8.5.29
2. You have an <Executor> with 450 threads in it
3. You see "lots of threads"
4. You are seeing lots of RST packets
We can't help you without more details. Pretend we aren't looking at
your screen as you investigate.
How many threads are you seeing? More than 450? How many, exactly?
What are the names of the threads?
Some things I have noticed that seem ... suspicious.
1. Your sslImplementationName is invalid.
2. You have a 5-minute keepAliveTimeout -- which sounds insanely high
- -- and an infinite number of keepalive requests. Are you fronting
Tomcat with a load-balancer or other reverse-proxy?
3. You have sendReasonPhrase="true" which indicates that you are
working with clients which violate the HTTP specification.
4. You have an infinite "maxSavePostSize" setting. Are you expecting
many users to perform unauthenticated POSTs where the POST body needs
to be very large, and saved-and-replayed during the authentication step?
5. Your keystoreType is PKCS11 which is usually a hardware keystore.
Fine. But you have a truststoreType of PKCS11 as well. Are you using a
hardware trust store as well?
- -chris
>
> Thanks & Regards,
>
> Raghav
>
>
> On 29/04/20, 9:52 PM, "Mark Thomas" <ma...@apache.org> wrote:
>
> On 29/04/2020 14:53, Ragavendhiran Bhiman (rabhiman) wrote:
>> Yes you are correct apache tomcat version 8.5.29 being used.
>>
>> On 29/04/20, 7:22 PM, "Ragavendhiran Bhiman (rabhiman)"
>> <rabhi...@cisco.com> wrote:
>>
>> Hi Mark,
>>
>> We have configured 450 threads for port number 443 with the
>> following executer
>
> That is a Connector element, not the executor element. We need
> both.
>
> Mark
>
>
>>
>> <Connector port="443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> SSLEnabled="true" maxKeepAliveRequests="-1"
>> keepAliveTimeout="300000" executor="AdminExecutorPool"
>> maxSavePostSize="-1" scheme="https" secure="true"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" compression="on"
>> compressableMimeType="text/html,text/json,text/javascript,text/css,ap
plication/javascript"
>
>>
> sslEnabledProtocols="${sslEnabledProtocolsHighSecurity}" server="
> "
>> allowUnsafeLegacyRenegotiation="false" clientAuth="false"
>> bindOnInit="false" URIEncoding="UTF-8"
>> useBodyEncodingForURI="true" keystoreType="PKCS11"
>> keyAlias="tomcat" truststoreType="PKCS11"
>> sendReasonPhrase="true"
>> sslImplementationName="org.apache.tomcat.util.net.jsse.IseJSSEImpleme
ntation"
>
>>
>
>> />
>>
>> I could see 450 threads open for servicing the clients in one
>> specific setup only what could be the reason?
>>
>> Thanks a lot.
>>
>> Regards,
>>
>> Raghav
>>
>>
>> On 29/04/20, 7:18 PM, "Mark Thomas" <ma...@apache.org> wrote:
>>
>> On 29/04/2020 14:24, Ragavendhiran Bhiman (rabhiman) wrote:
>>> Apache version 8.5.29
>>
>> Given this is the Apache Tomcat mailing list and that that is a
>> valid, although rather old, Tomcat version number I assume you
>> mean you are using Apache Tomcat 8.5.29.
>>
>> Generally, please also include JVM vendor and version being used
>> as well as OS.
>>
>> <snip/>
>>
>>> Hi,
>>>
>>> I am seeing too many open threads to port number 443 with
>>> TLSv1.2, what could be the primary reason for the same?
>>
>> Open threads? That doesn't make sense. Do you mean open ports,
>> threads (idle, active, both) or something else?
>>
>> How are you defining "too many"? More than you expect? There is
>> an error? Something else?
>>
>>> How can I analyze the problem ? Any particular pointers if you
>>> could provide will be more helpful.
>>
>> That depends on what the problem turns out to be.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>
>>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>
>>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl6qS5wACgkQHPApP6U8
pFhTQQ/+NrQfOAJykekcrW6sX1YuB0W5MS3DnZBEGxVW2FYqGK5BuJR6LxF7wiZ8
EuGLgFW0j0Taxq9oFG6zPkcKcd8bcKImpCJcAQ8/K8WLQaXx3qY9i0DLteQg2GxM
ZfiQ+ssc2UTvVgKQ9Qx3w+ekS/j51IgDkNg3Xde1Z89m/8UPxwqUzKAbKl7vtFmT
49DOJ56sXS5GTIwyG/WGTg4LhV7ZbCBaQpGoGhzvsUUWr0PsCNYLH7GNbMPJueiA
1dpclZNreLbx7BJ/kXGEb5y6Jqs0jpcWERZBejrdgbbMraYvFOBt7YvHS7ALnztn
7C1XgIdikcZF14dkw8GROYGJpTjoqCnOqcTNsgB1HUZit7o4CnNxvVL4kD6jTokh
t/ZOddDLfbLQRf3ITMgrJK2tu/5r+xw1SqEUDBoD2F4sA65Jvojm8E2yE509Pa5W
pw+5tNJ3MObXXwejWs+l9Aut/hCGfhERyucHOEhhON67r0y7R4KzceHeAVhuW3wY
GHdEGcC53pxEXtzs8ChP3hO6ybyEBylFodSssEgzwRNDcNOVAUXtvoEHTWTVkNEq
vPWe9dLBPFp+LrJCjicFaTdIPFHYSQLfiNGQJ3TMiA7LRgSQwnPlSPXMuzNSvBlA
w26mg6WzihtHE4cT1e0la4EuIlrHFSE4XoTEXahAfhLeN3EgGwE=
=JPPS
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
