You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "James H. H. Lampert" <ja...@touchtonecorp.com> on 2017/02/23 21:35:45 UTC
Connection reset while trying to access a web service running under
Tomcat
We've got a problem, and I'm not sure where it is.
We've got a remote box, belonging to a customer, that's trying to access
a web service hosted by a Tomcat server on one of our boxes (part of a
new webapp).
The customer box is getting "Connection Resets" while trying to access
our web service. Here is some of the debug output:
> (GSKit) I/O: A connection with a remote socket was reset by that socket.
> ssl_error(406): (GSKit) I/O: A connection with a remote socket was reset by that socket.
> SetError() #30: SSL Handshake: (GSKit) I/O: A connection with a remote socket was reset by that
I think initially, the problem was in the customer's firewall not
letting the requests out on the port this server runs. They say they've
got that fixed, but the connection resets continue.
According to the statistics on our firewall appliance/router (a TP-Link
WDR4300), it's getting some packet traffic intended for the server in
question, but nothing is being logged by the webapp itself. And nothing
seems to be getting logged to Catalina*.* from any of this traffic,
whether failed sign-ons from the customer box, or successful traffic
from one of our other boxes. Is there anything we can do to determine
whether Tomcat is seeing any of these request? And what it could be
doing with them?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Resolved, Re: Connection reset while trying to access a web service
running under Tomcat
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com>.
On 2/24/17, 8:56 AM, Christopher Schultz wrote:
> You need to enable logging at a lower level than this if a TLS
> connection is failing. Tomcat doesn't get any indication that anyone
> even tried to make a connection if the TLS handshake fails.
. . .
Dear Mr. Schultz (and all others who responded):
As it turns out, it *WAS* still a problem at the customer's end. They
did something else (they didn't say *what*) and now, it's working just fine.
Thanks for getting back to me, though.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Connection reset while trying to access a web service running
under Tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Andr�,
On 2/23/17 7:08 PM, Andr� Warnier (tomcat) wrote:
> On 24.02.2017 00:57, James H. H. Lampert wrote:
>> On 2/23/17, 3:13 PM, Andr� Warnier (tomcat) wrote:
>>> It seems to say right up here what the problem is : the
>>> customer system cannot establish a HTTPS connection with your
>>> server. The connection attempt starts, but then your server
>>> rejects it and closes the connection. Maybe they cannot agree
>>> on a common SSL protocol ?
>> . . .
>>
>> Is there a diagnostic setting I can apply to the Tomcat server,
>> that would shed any light on what's happening?
>>
>
> Probably, if you set the log level high enough. Unfortunately, the
> tomcat logging configuration is also not really my thing. One
> expert in these matters on this list is Christopher, but he seems
> to get list emails after some delay.
High praise. My delays are usually self-imposed. :)
> So have a little patience, and you'll probably be helped.
>
> In the meantime, there is always the helpful on-line tomcat
> documentation which you could try.
> http://tomcat.apache.org/tomcat-8.0-doc/logging.html
You need to enable logging at a lower level than this if a TLS
connection is failing. Tomcat doesn't get any indication that anyone
even tried to make a connection if the TLS handshake fails.
James, are you using APR/tcnative/OpenSSL or JSSE? With JSSE, you can
enable logging with the system property "-Djavax.net.debug=all"
(without quotes, of course). Beware: this will produce ENORMOUS
amounts of debugging output. Don't put it into production... just
set-up a test server within the same environment and try to make
connections.
Back to the original report... is this a single client that
*sometimes* gets connection resets or is it multiple clients, some of
which always get resets and other clients are okay? If it's one
client, do they have multiple boxes/client services, etc. that can be
identified as "always working" or "always failing", or is this all
totally intermittent?
Finally... what's the underlying protocol? Plain-old HTTP or
Websocket? I guess you are getting reset-on-connect and not
reset-during-communication, so the underlying protocol might not
matter at all.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYsGXGAAoJEBzwKT+lPKRYCpcP/1liYo5BOSR7cyb7kKYBmnfC
WA3V8Faw8IXZGeeEwFGVEYB8HAa+jnivX8nlYSf8q6pU/FBA5KuO4fVAZJchOLB4
I+DC83+FjciMXcgklYIt+i8IVlw3wQssriMgEDG/xhoQB7i+NPRp66RBvZ/+OEhu
iyY1nndw8SU+RvQAz97r8GcUNz5eTfqxJmt030D/K72oHdoLjSLjLUD3rze/0/wm
9AysEEEYwck8rzq3WrYKXhBbxCkor+rKt24ZT1zAzLqfNMXWLko0MMn+el3ChuDf
2dLRGThq6itu08Pq3neiUu7jC1Cx9XUen8MozSe4dGL2snG8/lAxuq2j3S7i8/b1
mq4yzyVDZqsaBm8Ctnb95nFf4KeTbG0HUxMUPNbzHaOSJKknrYg4NWNSstT4d2Bk
b9kDx7ue7LhxWoaekp8d9CvBrMwMv6P5bVb994Z6onfGOSatilgUrZW8zOmfxTJD
OwWpwDGPw5rse4r+PudPkX3iKjFtejKzsmExI+89AwbQD8R/bBNL3sN4Jm5fY+Gz
4pYGICiEGzxlpJyvtYaIZtmUvubyj8RQ3dKNbkpziPXY3r8q7M18VVMQIVp59P5J
3yVnJUWdDTHMFNIuI8wVwE4VXgf3yO13MlnVQvWdhc/TVcrlAgwWw0QT3RdcS8Y5
fEQc0kmhPkKioZOcFJce
=p7IF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Connection reset while trying to access a web service running
under Tomcat
Posted by Tim Watts <ti...@cliftonfarm.org>.
On Fri, 2017-02-24 at 01:08 +0100, André Warnier (tomcat) wrote:
> On 24.02.2017 00:57, James H. H. Lampert wrote:
> > On 2/23/17, 3:13 PM, André Warnier (tomcat) wrote:
> >> It seems to say right up here what the problem is : the customer system
> >> cannot establish a HTTPS connection with your server. The connection
> >> attempt starts, but then your server rejects it and closes the connection.
> >> Maybe they cannot agree on a common SSL protocol ?
> > . . .
> >
> > Is there a diagnostic setting I can apply to the Tomcat server, that would shed any light
> > on what's happening?
> >
>
> Probably, if you set the log level high enough. Unfortunately, the tomcat logging
> configuration is also not really my thing.
> One expert in these matters on this list is Christopher, but he seems to get list emails
> after some delay. So have a little patience, and you'll probably be helped.
> In the meantime, there is always the helpful on-line tomcat documentation which you could try.
> http://tomcat.apache.org/tomcat-8.0-doc/logging.html
>
In addition, you might want to indicate what HTTP Connector and SSL
stack you're using. Pure Java/JSSE? Native/OpenSSL? I believe the
logging tweaks will be different for these.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Connection reset while trying to access a web service running
under Tomcat
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
On 24.02.2017 00:57, James H. H. Lampert wrote:
> On 2/23/17, 3:13 PM, Andr Warnier (tomcat) wrote:
>> It seems to say right up here what the problem is : the customer system
>> cannot establish a HTTPS connection with your server. The connection
>> attempt starts, but then your server rejects it and closes the connection.
>> Maybe they cannot agree on a common SSL protocol ?
> . . .
>
> Is there a diagnostic setting I can apply to the Tomcat server, that would shed any light
> on what's happening?
>
Probably, if you set the log level high enough. Unfortunately, the tomcat logging
configuration is also not really my thing.
One expert in these matters on this list is Christopher, but he seems to get list emails
after some delay. So have a little patience, and you'll probably be helped.
In the meantime, there is always the helpful on-line tomcat documentation which you could try.
http://tomcat.apache.org/tomcat-8.0-doc/logging.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Connection reset while trying to access a web service running
under Tomcat
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com>.
On 2/23/17, 3:13 PM, Andr Warnier (tomcat) wrote:
> It seems to say right up here what the problem is : the customer system
> cannot establish a HTTPS connection with your server. The connection
> attempt starts, but then your server rejects it and closes the connection.
> Maybe they cannot agree on a common SSL protocol ?
. . .
Is there a diagnostic setting I can apply to the Tomcat server, that
would shed any light on what's happening?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Connection reset while trying to access a web service running
under Tomcat
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
On 23.02.2017 22:35, James H. H. Lampert wrote:
> We've got a problem, and I'm not sure where it is.
>
> We've got a remote box, belonging to a customer, that's trying to access a web service
> hosted by a Tomcat server on one of our boxes (part of a new webapp).
>
> The customer box is getting "Connection Resets" while trying to access our web service.
> Here is some of the debug output:
>> (GSKit) I/O: A connection with a remote socket was reset by that socket.
>> ssl_error(406): (GSKit) I/O: A connection with a remote socket was reset by that socket.
>> SetError() #30: SSL Handshake: (GSKit) I/O: A connection with a remote socket was reset
>> by that
It seems to say right up here what the problem is : the customer system cannot establish a
HTTPS connection with your server. The connection attempt starts, but then your server
rejects it and closes the connection.
Maybe they cannot agree on a common SSL protocol ?
As for why, I'll leave that one to someone else, because there are a billion SSL
protocols, with a trillion of variations, and a kazillion possible reasons for why they
could not agree on one; and this is really not my thing..
>
> I think initially, the problem was in the customer's firewall not letting the requests out
> on the port this server runs. They say they've got that fixed, but the connection resets
> continue.
>
> According to the statistics on our firewall appliance/router (a TP-Link WDR4300), it's
> getting some packet traffic intended for the server in question, but nothing is being
> logged by the webapp itself. And nothing seems to be getting logged to Catalina*.* from
> any of this traffic, whether failed sign-ons from the customer box, or successful traffic
> from one of our other boxes. Is there anything we can do to determine whether Tomcat is
> seeing any of these request? And what it could be doing with them?
>
> --
> JHHL
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Connection reset while trying to access a web service running
under Tomcat
Posted by Peter Mykytyn <pe...@gmail.com>.
use VPN or IPSEC for something like this.
On Thu, 23 Feb 2017 13:35:45 -0800
"James H. H. Lampert" <ja...@touchtonecorp.com> wrote:
> We've got a problem, and I'm not sure where it is.
>
> We've got a remote box, belonging to a customer, that's trying to access
> a web service hosted by a Tomcat server on one of our boxes (part of a
> new webapp).
>
> The customer box is getting "Connection Resets" while trying to access
> our web service. Here is some of the debug output:
> > (GSKit) I/O: A connection with a remote socket was reset by that socket.
> > ssl_error(406): (GSKit) I/O: A connection with a remote socket was reset by that socket.
> > SetError() #30: SSL Handshake: (GSKit) I/O: A connection with a remote socket was reset by that
>
> I think initially, the problem was in the customer's firewall not
> letting the requests out on the port this server runs. They say they've
> got that fixed, but the connection resets continue.
>
> According to the statistics on our firewall appliance/router (a TP-Link
> WDR4300), it's getting some packet traffic intended for the server in
> question, but nothing is being logged by the webapp itself. And nothing
> seems to be getting logged to Catalina*.* from any of this traffic,
> whether failed sign-ons from the customer box, or successful traffic
> from one of our other boxes. Is there anything we can do to determine
> whether Tomcat is seeing any of these request? And what it could be
> doing with them?
>
> --
> JHHL
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org