« Production use for the Include Directive | Main | Emergency Release Faux Pas »

01/27/2008

mod_jk times out on initial connections

If you come across a message similar to the following in your mod_jk logs and you know your apache server is up and your upstream tomcat server is up, I think I have the reason.

[Date/Time] [4994:52144] [error]
ajp_connection_tcp_get_message::jk_ajp_common.c (961): Can't receive the
response message from tomcat, network problems or tomcat is down
(10.X.X.X:8009), err=-110

[Date/Time] [4994:52144] [error]
ajp_get_reply::jk_ajp_common.c (1531): Tomcat is down or refused
connection. No response has been sent to the client (yet)

Conditions

An apache web server is in your DMZ. A firewall separates your web server from your tomcat (or jboss) application server. Web server connects to tomcat via mod_jk. After a period of site inactivity, you timeout on the initial load of the web application's default page. If you refresh the page, the browser loads the page normally.

Probable Cause

This is probably happening because the firewall is severing the ajp13 connection between mod_jk and tomcat. This is not a problem with the firewall, however, but is likely due to configuration defaults in mod_jk's workers.properties and in the tomcat server's server.xml.

A default workers.properties entry looks something like this:

worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13

The default values for the ajp13 connector in tomcat's server.xml are the following:

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

There are several things that should be added to both files in order to deal with firewalls that terminate idle sessions. By default, mod_jk keeps all ajp13 connections open indefinitely but it does not send keepalives across the tcp session to the tomcat server. If that connection is idle, it will remain open. Firewalls however do not like idle sessions and after a period of inactivity, will sever that connection. This is why the initial connection to the application might hang. ajp13 will hand the connection off to a tcp connection that is currently open but the firewall has killed that connection, resulting in the error messages above and the time out at the browser.

In workers.properties, add the following bolded parameters for each worker:

worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
worker.ajp13.socket_keepalive=True
worker.ajp13.connection_pool_timeout=600

"socket_keepalive" will send keepalives across the ajp13 session to tomcat. "connection_pool_timeout" will close the ajp13 session after 10 minutes of inactivity.

In server.xml on the tomcat ajp13 connector section, add the following in bold

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
connectionTimeout="600000" />

"connectionTimeout" will close any open, idle connections after a period of 10 minutes as well.

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01156fbc6fe6970c011572287ff4970b

Listed below are links to weblogs that reference mod_jk times out on initial connections:

Comments