This one time, at band camp, martin f krafft said: > Hi, > > we operate a cluster with LDAP for authentication. When a user logs > in, the session blocks around 15 seconds before the client sends the > first TLS packet to the LDAP server after the TCP connection has > been established. From then, everything is hunky dory. > > 5.095116 192.168.0.104 -> 192.168.0.10 DNS Standard query AAAA ldap.cluster.ailab.ch > 5.095638 192.168.0.10 -> 192.168.0.104 DNS Standard query response CNAME master.cluster.ailab.ch > 5.095881 192.168.0.104 -> 192.168.0.10 DNS Standard query A ldap.cluster.ailab.ch > 5.096199 192.168.0.10 -> 192.168.0.104 DNS Standard query response CNAME master.cluster.ailab.ch A 192.168.0.10 > 5.096385 192.168.0.104 -> 192.168.0.10 TCP 32820 > 636 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=1689666 TSER=0 WS=0 > 5.096432 192.168.0.10 -> 192.168.0.104 TCP 636 > 32820 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=1105337328 TSER=1689666 WS=2 > 5.096536 192.168.0.104 -> 192.168.0.10 TCP 32820 > 636 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=1689666 TSER=1105337328 > <15 seconds> > 20.273360 192.168.0.104 -> 192.168.0.10 TLS Application Data > > I've had to deal with performance issues in slapd, but I've never > had to deal with shy clients. What could be the cause here? There > are no relevant entries in the logs on either client or server. 15 seconds is too short for a network lookup failure, I think. I would expect more like 30 seconds if it was that. Is the client low on entropy? It may be blocking until it has enough to negotiate the TLS data. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sgran@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature