the build string
389-Directory/1.3.9.1 B2019.164.1418
corresponds to a RHEL-7.7 with RHDS-10.4
to verify:
cat /etc/redhat-release; rpm -q redhat-ds 389-ds-base

the access and errors log snippets are showing a "normal" timeout after 10mn, when there is no activity, and they do not really provide more information.

for the system entropy, check with
cat /proc/sys/kernel/random/entropy_avail 
systemctl status rngd

if for example, the system entropy is less than 1K, crypto operations may be extremely slow, and rngd should be running, like for example:
mkdir -p /etc/systemd/system/rngd.service.d
cat > /etc/systemd/system/rngd.service.d/entropy-source.conf << EOF
[Service]
ExecStart=/sbin/rngd -f -r /dev/urandom -o /dev/random
EOF
systemctl daemon-reload
systemctl enable rngd
systemctl start rngd
systemctl status rngd
cat /proc/sys/kernel/random/entropy_avail

If the ns-slapd stops responding, try to set the attribute nsslapd-ioblocktimeout under cn=config to a smaller value, like for example, 15 seconds / 15000
ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-ioblocktimeout
nsslapd-ioblocktimeout: 15000

<press enter twice, then control-D>

Thanks,
M.

On Thu, Jan 2, 2020 at 11:28 AM Trevor Fong <tjfong@gmail.com> wrote:
Hi Steve,

We see it happening with replication connections from other 389 DS servers in the cluster (but because it is multi-master, other replications masters' succeed, so its OK).
However, we also see it with other clients - they will initiate a connection, but the connection will hang and the client will time it out.

Thanks,
Trev 

On Thu, 2 Jan 2020 at 09:43, Vandenburgh, Steve Y <Steve.Vandenburgh@centurylink.com> wrote:
Is it possible that that application is pro-actively creating LDAP connections that it does not use?  This scenario might happen if the application is using connection pooling.


-----Original Message-----
From: Trevor Fong <tjfong@gmail.com>
Sent: Thursday, January 2, 2020 10:16 AM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] Re: Connections Opened but No BIND Received

Happy New Year, everyone!

Further to this, I added connection management loglevel to the errorlog level and managed to capture the output during one of the events when the connection seems to stall.  Would anyone be able to help me make sense of it?

Thanks a lot,
Trevor Fong

Access log:
[02/Jan/2020:08:21:00.925703124 -0800] conn=258144 fd=263 slot=263 SSL connection from <cleint ip> to <host ip>
[02/Jan/2020:08:21:00.934435506 -0800] conn=258144 TLS1.2 256-bit AES-GCM < expecting other transactions with conn=258144 but nothing happens until the following, when the connection is eventually timed out (600 sec) and broken by the client>
[02/Jan/2020:08:31:01.024762657 -0800] conn=258144 op=-1 fd=263 closed - Encountered end of file.

Error log:
[02/Jan/2020:08:21:00.924588379 -0800] - DEBUG - connection_reset - new SSL connection on 263
[02/Jan/2020:08:21:00.927088611 -0800] - DEBUG - connection_table_dump_activity_to_errors_log - activity on 263r
[02/Jan/2020:08:21:00.927961983 -0800] - DEBUG - handle_pr_read_ready - read activity on 263
[02/Jan/2020:08:21:00.932285653 -0800] - DEBUG - connection_read_operation - connection 258144 waited 1 times for read to be ready
[02/Jan/2020:08:21:00.934724384 -0800] - DEBUG - connection_read_operation - connection 258144 waited 2 times for read to be ready
[02/Jan/2020:08:21:01.035814543 -0800] - DEBUG - connection_threadmain - conn 258144 read not ready due to 4 - thread_turbo_flag 0 more_data 0 ops_initiated 1 refcnt 2 flags 17
[02/Jan/2020:08:21:01.036940723 -0800] - DEBUG - connection_check_activity_level - conn 258144 activity level = 0
[02/Jan/2020:08:21:01.037824240 -0800] - DEBUG - connection_threadmain - conn 258144 leaving turbo mode due to 4
[02/Jan/2020:08:21:01.038667951 -0800] - DEBUG - connection_threadmain - conn 258144 check more_data 0 thread_turbo_flag 0repl_conn_bef 0, repl_conn_now 0
[02/Jan/2020:08:21:01.039407337 -0800] - DEBUG - connection_make_readable_nolock - making readable conn 258144 fd=263 …
[02/Jan/2020:08:31:01.018473459 -0800] - DEBUG - connection_table_dump_activity_to_errors_log - activity on 263r
[02/Jan/2020:08:31:01.020162681 -0800] - DEBUG - handle_pr_read_ready - read activity on 263
[02/Jan/2020:08:31:01.021136264 -0800] - DEBUG - connection_read_operation - PR_Recv for connection 258144 returns -5938 (Encountered end of file.)
[02/Jan/2020:08:31:01.022435629 -0800] - DEBUG - disconnect_server_nomutex_ext - Setting conn 258144 fd=263 to be disconnected: reason -5938
[02/Jan/2020:08:31:01.024785254 -0800] - DEBUG - connection_threadmain - conn 258144 read not ready due to 3 - thread_turbo_flag 0 more_data 0 ops_initiated 2 refcnt 2 flags 19
[02/Jan/2020:08:31:01.026135420 -0800] - DEBUG - connection_check_activity_level - conn 258144 activity level = 1
[02/Jan/2020:08:31:01.027294400 -0800] - DEBUG - connection_enter_leave_turbo - conn 258144 turbo rank = 41 out of 841 conns
[02/Jan/2020:08:31:01.028297819 -0800] - DEBUG - connection_threadmain - conn 258144 leaving turbo mode due to 3
[02/Jan/2020:08:31:01.029284720 -0800] - DEBUG - connection_threadmain - conn 258144 check more_data 0 thread_turbo_flag 0repl_conn_bef 0, repl_conn_now 0
[02/Jan/2020:08:31:01.034004014 -0800] - DEBUG - connection_make_readable_nolock - making readable conn 258144 fd=263
[02/Jan/2020:08:31:01.036209375 -0800] - DEBUG - clear_signal - Listener got signaled
[02/Jan/2020:08:31:01.037395981 -0800] - DEBUG - connection_table_move_connection_out_of_active_list - Moved conn 263 out of active list and freed _______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fdocs.fedoraproject.org%2fen%2dUS%2fproject%2fcode%2dof%2dconduct%2f&umid=88AB2F95-9B2B-5C05-B075-850F03556B65&auth=19120be9529b25014b618505cb01789c5433dae7-3f23a383f700f424db40deaf4d8822c2daf248e2
List Guidelines: https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2ffedoraproject.org%2fwiki%2fMailing%5flist%5fguidelines&umid=88AB2F95-9B2B-5C05-B075-850F03556B65&auth=19120be9529b25014b618505cb01789c5433dae7-919003d7bec2b6ef54d727a57d7573e5ffdfb07c
List Archives: https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2flists.fedoraproject.org%2farchives%2flist%2f389%2dusers%40lists.fedoraproject.org&umid=88AB2F95-9B2B-5C05-B075-850F03556B65&auth=19120be9529b25014b618505cb01789c5433dae7-9795ae6e50df8fdd7c82d450133e130fc3c3eeb4
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org