Timeout issue in production environment

Hi


Production Environment:

firewall : fortigate
loadbalancer : nginx
application server : glassfish
db : mysql
vaadin version : 7.3.8
spring-security : 3.2.5.RELEASE


Dev Environment:

firewall : NOT THERE
loadbalancer : NOT THERE
application server : glassfish
db : mysql
vaadin version : 7.3.8
spring-security : 3.2.5.RELEASE

In development environment everything is working fine.
In production for the first five requests its working fine and then it suddenly gets hanged up.
I get the notification from the OSSEC “High amount of POST requests in a small period of time (likely bot)”.
For the next 10 min i cant access the application from the same IP address.But i can access from a different IP address and the same for first 5 requests its works fine and later it gets hanged up.
I have configured all the parameters related to deployment descriptor file(productionMode,sessionTimeout).
Also i deployed quicktickets-dashbaord,mobilemail and parking demo applications.For these applications also i face the same issue.
We are working on it for couple of days and came to know that firewall is blocking the particular IP address for 10 minutes and is releasing after that.Till that time from the same IP no one can access the application.
Attached is the network log,nginx configuration,pom and web.xml.

Appreciate for quick responses.Thank you…
19126.png
19127.xml (2.99 KB)
19128.xml (11.4 KB)
19129.txt (951 Bytes)

Can you try increasing the http-thread-pool in glassfish?

I don’t know about Fortigate or OSSEC, but this seems to be a problem with the firewall or a separate intrusion detection system.Your firewall/OSSEC settings might not be suitable for serving AJAX applications, which tend to make a lot of XHR requests. Do you have any trouble with other web applications? Especially, other AJAX applications?

At least some of the demos use server push, so it could be a problem with the protocol used for that, like WebSocket. At least the dashboard-demo doesn’t use push though, so maybe it’s not that.