Access Manager Failover very slow when using Windows 2008 Web Servers

Document ID:7016125
Creation Date:29-Jan-2015
Modified Date:29-Jan-2015
- Micro Focus Products:
  Access Manager (NAM)

Environment

Access Manager 4.0
Windows 2008 IIS Web Servers

Situation

Access Gateway forwarding to 2 x IIS W2K8 Web Servers doing load balancing. Performed a fail over test by shutting down IIS on one server and hoped to see the traffic quickly fail over to the other server using Round Robin.

It took 2 minutes to fail over due to the data read timeout. Which is unexpected because normal web servers would immediately send a REJECT packet back to the MAG, which would then fail over in a timely manner.

Windows 2008 Server has a feature called Stealth Mode – when a listening service is brought down and there is an attempt to hit the port, the server will actively DROP the packet instead of REJECT it (which is what would be generally expected).

Resolution

A workaround is to reduce the data read timeout in NAM to 15 seconds; not a perfect solution, but acceptable in the case where a server goes down.
Another option would be to disable Stealth Mode but this would require intervention by the Web Server Administrator.

More information on the feature can be found at.

http://technet.microsoft.com/en-us/library/dd448557%28v=ws.10%29.aspx

Disabling Stealth Mode:

https://msdn.microsoft.com/en-us/library/ff720058.aspx

And a bit of discussion about the pros/cons, DROP vs REJECT.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/3e42c084-464d-480a-8568-751e7eb43640/windows-firewall-nonstandard-behavior-stealth-mode-vista-7-2008-2008-r2