504 Gateway Time-Out accessing secure Web server with Linux Access Gateway

  • 7001127
  • 08-Aug-2008
  • 26-Apr-2012

Environment

Novell Access Management 3 Linux Access Gateway
Novell Access Manager 3 Support Pack 3 applied
Secure Web server being accelerated

Situation

User tries to access a secure Web server through the Linux Access Gateway but gets the following error message each time:

Status: 504 Gateway Time-Out
Description: Unable to connect to origin web server. The web site you are
attempting to access is currently unreachable. This may be due to a network
outage, or the web site might be experiencing technical difficulties.

Verified that the trusted root was imported into the correct trusted root stores, and also confirmed that the issue also occured with trusted root validation disabled. The problem occured with or without authentication for this protected resource.

Resolution

Touch the /var/novell/.doNotUseTLS file on the Linux Access Gateway. There are some webservers that do not support TLS protocol. By default, LAG tries with the TLS protocol and if the web server doesn't support this, it will abort the SSL handshake.

Additional Information

To troubleshoot such an issue:

1. modify the /etc/laglogs.conf file on the LAG to be
 
 LOG_LEVEL=7
 DEBUG_HTTP_HEADERS=1
 DEBUG_SOAP_MESSAGES=0
 
 2. restart the proxy with /etc/init.d/novell-vmc restart
 3. start tcpdump trace on LAG
 4. dup the issue
 5. look at the  

- LAN trace output
- /var/log/ics_dyn.log file

Looking at the ics_dyn.log file, you will see something similar to

Aug  5 20:34:15 des-agtw : AM#504503000: AMDEVICEID#ag-01A9F3A7026372E1 : AMAUTHID#0: AMEVENTID#175: Process request 1 'login.tjp.gov:4455' '/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=v1.4~1AA7B8DC~EA70FDC9D6D2F1281EF743649C95F598E7F086ED0412481657FF8F5B38FD4F853C63059BEA5AE8A3FCAB6A2FBF4DF3993C21BDA801425366C26A4B18F4E2B0183BD660621D69F4E00F2A674799A49FCFC67E8CBCF2A680355556DB5AE8A61D405A26FF89488F778DF80E0BBA509C977587492FC30FBE7A0622B90A46B82A5CF216F0B01065058497E4707B0708BCF9021C3BD0061BFE6D7B2982D60206D00C6C6753A6146C7004BD228B07A7683239646979D2C2F07A73333AB236A52B391783456964B3374150A48E3CD6C0AE679CF7F1D8EDC1AB40C160B13916A366C3C1F7' [100.100.6.168:50494 -> 100.100.228.113:4455] 
Aug  5 20:34:15 des-agtw : AM#504517000: AMDEVICEID#ag-01A9F3A7026372E1 : AMAUTHID#0: AMEVENTID#175: Remove the query string before searching
Aug  5 20:34:15 des-agtw : AM#504517000: AMDEVICEID#ag-01A9F3A7026372E1 : AMAUTHID#0: AMEVENTID#175: Query for the resource '/PLS/ORASSO/ORASSO.WWSSO_APP_ADMIN.LS_LOGIN'
Aug  5 20:34:15 des-agtw : AM#504517000: AMDEVICEID#ag-01A9F3A7026372E1 : AMAUTHID#0: AMEVENTID#175: Search success for the resource = /pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=v1.4~1AA7B8DC~EA70FDC9D6D2F1281EF743649C95F598E7F086ED0412481657FF8F5B38FD4F853C63059BEA5AE8A3FCAB6A2FBF4DF3993C21BDA801425366C26A4B18F4E2B0183BD660621D69F4E00F2A674799A49FCFC67E8CBCF2A680355556DB5AE8A61D405A26FF89488F778DF80E0BBA509C977587492FC30FBE7A0622B90A46B82A5CF216F0B01065058497E4707B0708BCF9021C3BD0061BFE6D7B2982D60206D00C6C6753A6146C7004BD228B07A7683239646979D2C2F07A73333AB236A52B391783456964B3374150A48E3CD6C0AE679CF7F1D8EDC1AB40C160B13916A366C3C1F7, pr:0x986ac904.
Aug  5 20:34:15 des-agtw : AM#504503000: AMDEVICEID#ag-01A9F3A7026372E1 : AMAUTHID#0: AMEVENTID#175: connecting to webserver 100.100.101.206:4455 45185132  noPersist . (policy:1:2) 
Aug  5 20:34:15 des-agtw : AM#504515000: AMDEVICEID#ag-01A9F3A7026372E1 : AMAUTHID#0: AMEVENTID#0: Connection Established with peer (100.100.101.206), port(4455) 
Aug  5 20:34:15 des-agtw : AM#504503000: AMDEVICEID#ag-01A9F3A7026372E1 : AMAUTHID#0: AMEVENTID#176: Establish SSL connection to webserver 
Aug  5 20:34:15 des-agtw : AM#504518000: AMDEVICEID#ag-01A9F3A7026372E1 : AMAUTHID#0: AMEVENTID#2545445748: Accept any trusted root from webserver
Aug  5 20:34:15 des-agtw : AM#504515000: AMDEVICEID#ag-01A9F3A7026372E1 : AMAUTHID#0: AMEVENTID#0: Connection Established with peer (100.100.101.206), port(4455) 
Aug  5 20:34:15 des-agtw : AM#504503000: AMDEVICEID#ag-01A9F3A7026372E1 : AMAUTHID#0: AMEVENTID#175: totalMsgs:84 msg:56:[Unable to connect to origin web server. The web site you are attempting to access is currently unreachable. This may be due to a network outage, or the web site might be experiencing technical difficulties.] 

Looking at the trace, one will see that the SSL handshake fail.