This content has been marked as final. Show 6 replies
I need to clarify: Each OAM server is pointing to its own Oracle DB. Also the OAM servers (OAM1 and OAM2) are not clustered. This configuration is due to some requirements that we have. Also BTW, we are using X509 authentication.
To answer your question about what kind of problem:
As I said, after OAM1 comes back up, the webgate starts communicating with OAM1 server port 5575. However, the challenge and challenge redirect URLs that the browsers are served are still pointed to OAM2. So, the OAM2 is doing the ATN and creating the ObSSOCookie. Then, when an attempt to access is made with that ObSSOCookie, the OAM1 fails to validate the ObSSOCookie.
We are seeing several symptoms during the 30 minute period before the challenge/challenge redirect URL is corrected, but the main problem is that we get a Firefox redirect error page, i.e., it appears that the browser is "looping".
Can you provide which configuration you are using in Webserver for failover?
If it is apache/OHS you can have this in following way, using Status=+H gets request only when other server is not running.
BalancerMember http://10.1.1.5 status=+H
One of the colleagues that I work with (the one that dragged me into this problem :)!) already opened an SR on this to try to get an explanation and/or fix. I've been posting the inquiry around, including here and the support community (I think you're there also), to try to see if anyone might know.
Just as you said, I might have also expected some difference in the failover vs. failback timing (I call this "hysteresis"), but 30 seconds seems a bit much, and, as you might guess, will cause all kinds of operational problems and confusion. I really would have expected that whenever the webgate switches from primary to secondary, or, from secondary to primary, it'd contact the OAM server to pick up a new set of challenge/challenge redirect URLs, but that definitely doesn't look like what is happening.
Thanks for responding, and I will post back if we get a resolution from support. Meanwhile, if anyone out there knows the answer, please post here!
Edited by: jimcpl on Feb 8, 2013 2:22 PM