Troubleshoot the proxy server
- Problem: Proxy server created successfully. Unable to start.
Check the SYSOUT file for port conflicts.
Use netstat –a to see if any of the endpoints associated with the proxy server are already in use...
Servers | Proxy servers | <server_name> | PortsIf the proxy server fails to start when attempting to start it as a non-privleged user on UNIX systems, check for the following message in the logs:
ChannelFramew E CHFW0029E: Error initializing chain HTTPS_PROXY_CHAIN because of exception com.ibm.wsspi.channel.framework.exception.RetryableChannelException: Permission deniedTCPPort E TCPC0003E: TCP Channel TCP_7 initialization failed. The socket bind failed for host * and port 80. The port may already be in use.
Change the ports of the PROXY_HTTP_ADDRESS and PROXY_HTTPS_ADDRESS transport chains to values greater than 1024.
- Problem: The proxy server is located in front of multiple Web containers on the same machine, each of which are listening on non-default ports.
Add the listening port numbers of the Web container to the virtual host that is associated with the target application. This process will ensure that the proxy server routes the request to the Web container over the correct port number.
- Problem: The proxy server started, but application resources are unavailable through the endpoints for the proxy server.
Verify the endpoints for the proxy server are among the host aliases in the virtual host that are associated with the application.
- Problem: The proxy server routes to another core group.
Verify that core group bridges exist between the core groups in the cell, and that the processes that are chosen to be bridges are restarted. If there is a firewall between the core group, verify that the correct ports are open for core group bridge traffic.
- Problem: The proxy server routes to another cell.
Review the core group bridge settings. Verify that the peer access point group names match in each cell. Check the peer ports against the bridge interfaces to verify that they are correct. If bridge interfaces or peer ports are added or changed, restart all bridge interfaces.
- Problem: Receiving a blank page when making a request to the proxy.
- Update the virtual host.
Verify the target application and routing rule are assigned to a virtual host that includes the proxy server listening ports (default: HTTP 80, HTTPS 443). Add the proxy server listening ports to the application, or routing rule virtual host, or use the proxy_host virtual host.
- Stop the conflicting process.
Check your system to ensure that no other process (for example, Apache, IBM HTTP Server, and so on) is running that uses the proxy server ports (default: HTTP 80, HTTPS 443). If this problem occurs, the proxy server seems to start normally, but is unable to receive requests on the affected listening port. Check your system as follows:
- Stop the proxy server.
- Query your system using netstat and ps commands to determine if an offending process is using the port on which the proxy server is listening.
- If an offending process is found, stop the process and configure your system so that the process is not started during system startup.
- Enable proxy routing.
Ensure that proxy routing is enabled for the Web module of the application. Proxy routing is enabled by default, so if no proxy properties are modified, disregard this solution.
Otherwise, see Customizing routing to applications for instructions on modifying the proxy properties.
- Test direct request.
Verify the target application is installed by making a request directly to the appserver. If a response is not received, then the problem is with the appserver and not the proxy server. Verify this case by going through the proxy server after you can receive a response directly from the appserver.
- Problem: HTTP 404 (File not found) error received from the proxy server. Consider the following actions:
- Update the virtual host.
Verify the target application and routing rule are assigned to a virtual host that includes the proxy server listening ports (default: HTTP 80, HTTPS 443). Add the proxy server listening ports to the application, or routing rule virtual host, or use the proxy_host virtual host.
- Enable proxy routing.
Ensure that proxy routing is enabled for the Web module of the application. Proxy routing is enabled by default, so if no proxy properties are modified, disregard this solution. Otherwise, see Customizing routing to applications for instructions on modifying the proxy properties.
- Test direct request.
Verify the target application is installed by making a request directly to the appserver. If a response is not received, then the problem is with the appserver and not the proxy server. Verify this case by going through the proxy server when you can receive a response directly from the appserver.
- Problem: Unable to make SSL requests to application or routing rule.
Verify the virtual host of the application or routing rule includes a host alias for the proxy server SSL port (default: 443).
- Problem: Unable to connect to the proxy server...request times out.
Stop the conflicting process.
Check your system to ensure that no other process (for example, Apache, IBM HTTP Server, and so on) is running that uses the proxy server ports (default: HTTP 80, HTTPS 443). If this situation occurs, the proxy server seems to start normally, but is unable to receive requests on the affected listening port. Check your system, as follows:
- Stop the proxy server.
- Query your system using netstat and ps commands to determine if an offending process is using a port on which the proxy server is listening.
- If an offending process is found, stop the process and configure your system so that the process is not started during system startup.
- Problem: Did not receive a response from the error page application when the HTTP error occurred (for example, 404).
Verify the error page URI is entered correctly.
Make sure that the Handle remote errors option is selected if you are handling HTTP error responses from back-end servers.
- Problem: What packages do I enable when tracing the proxy server?
All of the following packages are not needed for every trace, but if unsure, use all of them:
- *=info
- WebSphere Proxy=all
- GenericBNF=all
- HAManager=all
- HTTPChannel=all
- TCPChannel=all
- WLM*=all
- DCS=all
- ChannelFrameworkService=all
- com.ibm.ws.dwlm.*=all
- com.ibm.ws.odc.*=all
- Problem: How do I enable SSL on/off load?
SSL on/off load is referred to as the transport protocol in the console, and transport protocol is a Web module property. Refer to Customizing routing to applications to see how to configure Web module properties. No SSL on/off load or transport protocol properties exist for routing rules because the transport protocol is inherent to the generic server cluster that is specified in the routing rule.
- Problem: When fronted by IBM HTTP Server or a plug-in, how do I configure the proxy server so I do not have to add a port for it to the virtual host?
For the proxy server to trust the security-related information, for example WAS private headers, of a request, add the originator of the request to the proxy server trusted security proxies list. For example, add an IBM HTTP Server or a plug-in sending requests to the proxy server to the proxy server trusted security proxies list. The plug-in sends private header information that among other things, contains the virtual host information of a request. If the proxy does not trust the WAS private headers from the plug-in (or any client), the proxy server adds its own WAS private headers, which requires the addition of proxy server ports (HTTP and HTTPS) to the virtual host. Most likely, when using the plug-in with the proxy server, the intent is to use the proxy server as a back-end server. Be sure to add the WAS plug-in as a trusted security proxy to avoid having to expose the proxy server ports. Refer to Routing requests from a plug-in to a proxy server for more information about configuring the WAS plug-in to use with the proxy server. Refer to Proxy server settings for more information about trusted security proxies.
- Problem: The proxy server seems to "hang" under stress, or "Too Many Files Open" exceptions display in ffdc or SystemErr.log.
Under high connection loads, the number of file system descriptors might become exhausted and the proxy server may seem to hang and drop "Too Many Files Open" exceptions in the ffdc directory or in the SystemError.log file because it is unable to open a socket. The problem can be alleviated by setting certain tuning parameters at the operating system level and at the proxy server level that optimize the use of connections for the proxy server:
Operating system tuning for Windows 2000, 2003, and XP
- TcpTimedWaitDelay - Determines the time that must elapse before TCP/IP releases a closed connection and reuse its resources. This interval between closure and release is known as the TIME_WAIT state, or twice the maximum segment lifetime (2MSL) state. During this time, reopening the connection to the client and server costs less than establishing a new connection. By reducing the value of this entry, TCP/IP releases closed connections faster and can provide more resources for new connections. Adjust this parameter if the running application requires rapid release, the creation of new connections, or an adjustment because of a low throughput caused by multiple connections in the TIME_WAIT state. View or set this value as follows:
- Use the regedit command and access the registry subkey...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters...to create a new REG_DWORD value named TcpTimedWaitDelay.
- Set the value to decimal 30, which is Hex 0x0000001e. This value sets the wait time to 30 seconds.
- Stop and restart your system.
Default value 0xF0, which sets the wait time to 240 seconds (4 minutes). Recommended value A minimum value of 0x1E, which sets the wait time to 30 seconds.
- MaxUserPort - Determines the highest port number that TCP/IP can assign when an application requests an available user port from the system. View or set this value as follows:
- Use the regedit command, access the registry subkey...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters...and create a new REG_DWORD value named MaxUserPort.
- Set this value to at least decimal 32768.
- Stop and restart your system.
Default value None Recommended value At least decimal 32768.
- Operating system tuning for Linux
- timeout_timewait parameter - Determines the time that must elapse before TCP/IP releases a closed connection and can reuse its resources. This interval between closure and release is known as the TIME_WAIT state, or twice the maximum segment lifetime (2MSL) state. During this time, reopening the connection to the client and server costs less than establishing a new connection. By reducing the value of this entry, TCP/IP can release closed connections faster, providing more resources for new connections. Adjust this parameter if the running application requires rapid release, the creation of new connections, and a low throughput due to many connections sitting in the TIME_WAIT state. View or set this value by issuing the following command to set the timeout_timewait parameter to 30 seconds:
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
- Linux file descriptors (ulimit) - Specifies the number of open files that are supported. The default setting is typically sufficient for most applications. If the value set for this parameter is too low, a file open error, memory allocation failure, or connection establishment error might display.
View or set this value by checking the UNIX reference pages on the ulimit command for the syntax of different shells. Set the ulimit command to 65535 for the KornShell shell (ksh), by issuing the ulimit -n 65535 command. Use the ulimit -a command to display the current values for all limitations on system resources.
Default value 1024 Recommended value 65535
- Operating system tuning for AIX
- TCP_TIMEWAIT - Determines the time that must elapse before TCP/IP releases a closed connection and can reuse its resources. This interval between closure and release is known as the TIME_WAIT state, or twice the maximum segment lifetime (2MSL) state. During this time, reopening the connection to the client and server costs less than establishing a new connection. By reducing the value of this entry, TCP/IP can release closed connections faster, providing more resources for new connections. Adjust this parameter, if the running application requires rapid release or the creation of new connections, or if a low throughput occurs due to many connections sitting in the TIME_WAIT state. View or set this value by issuing the following command to set the TCP_TIMEWAIT state to 15 seconds:
/usr/sbin/no -o tcp_timewait =1
- AIX file descriptors (ulimit) - Specifies the number of open files that are permitted. The default setting is typically sufficient for most applications. If the value set for this parameter is too low, errors can occur when opening files or establishing connections, and a memory allocation error might display. To prevent WAS from running short on resources, remove the upper limits (ulimit) for resources on the user account on which the WAS process runs.View or set this value by changing the ulimit settings as follows:
- Open the command window.
- Type smitty users to open the AIX configuration program.
- Select Change or Show Characteristics of a user.
- Type the name of the user account on which the WAS runs.
- Press Enter.
- Change the following settings to the indicated value:
Soft FILE Size -1 Soft CPU Time -1 Soft STACK Size -1 Soft CORE File Size -1 Hard FILE Size -1 Hard CPU Time -1 Hard STACK Size -1 Hard CORE File Size -1
- Press Enter to save changes.
- Log out and log into your account.
- Restart WAS
Default value 2000 Recommended value unlimited
- Operating system tuning for Solaris
- TCP_TIME_WAIT_INTERVAL - Notifies TCP/IP on how long to keep the connection control blocks closed. After the applications complete the TCP/IP connection, the control blocks are kept for the specified time. When high connection rates occur, a large backlog of the TCP/IP connections accumulate and can slow server performance. The server can stall during certain peak periods. If the server stalls, the netstat command shows that many of the sockets that are opened to the HTTP server are in the CLOSE_WAIT or FIN_WAIT_2 state. Visible delays can occur for up to four minutes, during which time the server does not send any responses, but CPU utilization stays high with all of the activities in system processes. View or set this value by using the get command to determine the current interval and the set command to specify an interval of 30 seconds. For example:
ndd -get /dev/tcp tcp_time_wait_interval ndd -set /dev/tcp tcp_time_wait_interval 30000
Default value 240000 milliseconds, which is equal to 4 minutes. Recommended value 60000 milliseconds
- Proxy server tuning
- Persistent requests - A persistent request is one that is sent over an existing TCP connection. You can maximize performance by increasing the number of requests that are received over a TCP connection from a client. The value should represent the maximum number of embedded objects, for instance GIF and so on, in a Web page +1.
View or set this value in the WebSphere Application Server console by clicking...
Servers | Proxy Servers | server_name | Proxy server transports | HTTP_PROXY_CHAIN/HTTPS_PROXY_CHAIN
Default value 100 Recommended value A value that represents the maximum number of embedded objects in a Web page + 1.
- Outbound connection pool size - The proxy server pools outbound connections to target servers and the number of connections that resides in the pool is configurable. If the connection pool is depleted or empty, the proxy server creates a new connection to the target server. Under high concurrent loads, increase the connection pool size should to a value of the expected concurrent client load to achieve optimal performance.
View or set this value in the console by clicking...
Servers | Proxy Servers | server_name | HTTP Proxy Server SettingsIn the Content Server Connection section, increase the maximum connections per server field to a value that is equal to or greater than the expected maximum number of connected clients. Save your changes, synchronize the changes to the proxy server node, and restart the proxy server.
Recommended value Value consistent to the expected concurrent client load.
- Outbound request time-out - Often times, the back-end appservers that are fronted by the proxy server may be under high load and may not respond in an adequate amount of time, therefore the connections on the proxy server may be tied up from waiting for the back-end appserver to respond. Alleviate this by configuring the amount of time the proxy server waits for a response from the target server. This is the Outbound Request Time-out value. By managing the amount of time the proxy server waits for a slow back-end appserver, connections are freed up faster and used for other request work.View or set this value in the WAS administrative console by clicking...
Servers | Proxy Servers server_name | HTTP Proxy Server SettingsIn the Content Server Connection section, set Outbound Request Time-out to a value that represents the acceptable response time from the point of view of the client.
Default value 120 Recommended value A value that represents the acceptable response time from the point of view of the client.
- Problem: HMGR0149E: An attempt by another process to connect to this process via the core group transport has been rejected.
The connecting process provided a source core group name of network1server1a.com9353network2server2a.com9353, a target of <null> a member name of 10.42.45.18:9353 and an IP address of /10.42.45.18. If you receive this error message, your application requires security between the Web modules and EJB modules. You must configure WebSphere Application Security by doing the following:
- Review the time, date, and time zone on all machines in both cells. The machines in the primary and backup cells must be within five minutes of each other.
- Configure a user registry with an LDAP server, OS security or a custom user registry.
See Exporting LTPA keys for more information.
Troubleshooting request routing and workload management through the proxy server
Related information
Setting up the proxy server