Cognos Controller 10.3.1
Microsoft Windows 2012 server
Several controller users are thrown out of the cognos controller client at reporting week.
Check the firewall between the servers, controller servers and citrix servers.
Is there any new rules that have been implemented?
Does other application that also use citrix servers have issues with connection losses?
Turn off aggressive Aging in your firewall.
Also check if the Windows SQL server demand TLS 1.2, and you need to update the Windows registry to not use TLS 1.2 communication on the cognos servers. Set this values on cognos server:
If it does not help, then also try to change the DoS attacks settings in Windows;
A change in TCP/IP service are going to enable DoS protection.
- Run regedit.exe
- Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry subkey.
- From the Edit menu, select New, DWORD Value.
- Enter the name TcpMaxHalfOpen, then press Enter.
- Double-click the new value, set it to 100, then click OK.
- Enter the name TcpMaxHalfOpenRetried, then press Enter.
- Double-click the new value, set it to 80, then click OK.
- Enter the name SynAttackProtect, then press Enter.
- Double-click the new value, set it to 1, then click OK.
- Reboot the machine.
If above is set, try to remove it with SynAttackProtect value set to 0.
When SynAttackProtect value is 0, it offers no protection. Value 1 indicate to delay the response Notification untill three way handshake is complete by the received by the SYN packet. By default, this is not invoke untill it exceeds the TcpMaxHalfOpen and TcpMaxHalfOpenRetried values. The values TcpMaxHalfOpen and TcpMaxHalfOpenRetried could be changed, and I strongly recommend to test with different settings in your environment, then choose the best ones.
Understanding Aggressive Aging
To increase gateway stability, aggressive Aging helps manage the capacity of the connection table and gateway memory consumption.
Aggressive Aging introduces a new set of short timeouts called aggressive timeouts. When a connection is idle for more than its aggressive timeout, it is marked as “eligible for deletion”. When the connections table or memory consumption reaches a user defined threshold, Aggressive Aging begins to delete “eligible for deletion” connections until memory consumption or connection capacity falls to the desired level.
Aggressive Aging lets the Security Gateway handle large amounts of unexpected traffic, for example during a Denial of Service attack.
If the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the “Eligible for Deletion” list. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit. If there are no “Eligible for Deletion” connections, no connections are deleted but the list is checked for each subsequent connection that exceeds the threshold.
Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently.
Best Practice: When memory consumption exceeds its threshold, work with shorter timeouts that can maintain the connectivity for the majority of the traffic.
In the Aggressive Aging Timeouts are enforced when section, select whether they will be enforced if the Connections table exceeds a limit, if Memory exceeds a limit, or if both exceed their limits.
If you select both, the values in the percentage fields of the other options are applied. Default is 80%, with connections from the “Eligible for Deletion” list being deleted if either the Connections table or Memory consumption passes this limit.
Note – The limits for the Connections table and Memory consumption are set for each profile. The Aggressive Aging timeouts are global. Therefore: different gateways may enforce the same timeouts at different thresholds.
Activate this protection in either Prevent or Detect mode.