• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

CF2021- Intermittent connection failures to third party APIs?

Community Beginner ,
Jan 19, 2022 Jan 19, 2022

Copy link to clipboard

Copied

Howdy,

 

We are running CF2021 on Win2019 Server Datacenter. Over the past couple of weeks we have started seeing intermittent connection falures to some of our third party partners, like our payment processor, and other partners. CF is using TLS1.3 to make these connections, and if we immediately try to connect again when we get a connection failure, it almost always connects successfully. Sometimes it goes through fine without having to retry, so it is an intermittent failure.
One thing we have observed is that many, id not all of the failures appear to be trying to connect with a pre-shared key (PSK), while the successful retries do not (presumably CF drops the PSK when the connection failure occurs).
Is anyone else seeing something similar or has seen this?
One suggestion raised was to turn off TLS1.3 and fall back to 1.2. I assume we can do that using JVM command line args in the CFadmin and then restart?
Appreciate any help and suggestions.
As near as I can tell, we are current on CF updates.

Thank you for your time and attention.

TOPICS
Security

Views

119

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 19, 2022 Jan 19, 2022

Copy link to clipboard

Copied

A few thoughts :

  • Yes, some others have seen it. Not common, but happening. And there's not yet been a clear resolution shared widely.
  • Yes, it may be that adding the jvm args to limit calls out to use only tls 1.3 would help (and someone will share them of you don't find them), but do beware that would affect ALL calls out of cf, not just this app you're focused on. And you may say it's the only one that matters, but that's about cfhttp calls, right? You may also use tls in your mail server config, db/dsn config, and more. So just be careful about that.
  • You say cf is updated, but you don't confirm the update number. Please do. It's on the "settings summary" page in the cf admin.
  • More important, that page will show the jvm version  cf is using. What's that? (Don't do a "Java - version" command to find that. Cf may not use THAT jvm but another that it points to.) Both are on that settings summary page.
  • If you are not on a recent  update to the jvm cf supports (which for now in on Cf2021 and 2018 is Java 11), that could contribute to your problem. The latest Java 11 update is 14, which came out yesterday.
  • You may be on something much older like 11.0.1, which the original cf installer (from Nov 2020) implemented by mistake. The new cf installer from Sept implements 11.0.11 by default.) Or you may  you point to some other Java outside of cf, which is OK (as long as it's Java 11).
  • There are various resources that walk through updating cf to a newer Java. Let's hear first where things stand. 

/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jan 19, 2022 Jan 19, 2022

Copy link to clipboard

Copied

CF version is 

2021,0,0,323925
I was told we had updated several weeks ago, because of log4j, but it looks like this might not be the latest. I do know we implemented the log4j workaround then.

Java version is 11.0.1, CF is pointing to the JRE that comes with the installer.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jan 19, 2022 Jan 19, 2022

Copy link to clipboard

Copied

The Package Manager page seems a little flaky. I click "Check for Updates" under Core server and it says there are no updates. Click it again and it says there are three. Click it again and it's back to no updates.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 19, 2022 Jan 19, 2022

Copy link to clipboard

Copied

LATEST
 

CF version is 

2021,0,0,323925
I was told we had updated several weeks ago, because of log4j, but it looks like this might not be the latest. I do know we implemented the log4j workaround then.

Java version is 11.0.1, CF is pointing to the JRE that comes with the installer.

By @modigm

 

Your environment is lagging behind in terms of updates. I would suggest you

 

Who knows, perhaps when you're done, your original problem will go away.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation