DX Application Performance Management

Hello everyone,

Anyone knows how cloudflare could affect CA APM (tim / cem) measurements.
My client enabled cloudflare with caching static content, and we noticed a decrease in counts (not only in Wily but also in other HTTP monitoring tools used by our client)
Would it be necessary to recapture business transactions?

thanks,

Hi Fernando,

From what I have read Cloudfare is a CDN technology.

Step 1: How does Cloudflare work? – Cloudflare Support 

Are you still seeing all previously recorded business transactions monitored successfully and it is just the volumes that have reduced? If yes that would tend to indicate:

a. The existing transaction signatures are still valid and re-recording the business transactions would have no benefit

b. Perhaps some transactions are not being captured due to some caching effect or the current list of monitored web servers (web server filters) does not fully cover the new environment?

Are all the transactions http or secure https/ssl or a mixture? Are both types being monitored successfully and just the volumes are reduced?

Thanks

Lynn

Hi Lynn, thanks for you response.

Our customer is bank, then all transacction are being captured are https. We have someone cypher suite error, by status request into a F5 to the web servers with Diffie-Hellman, but this is normal.

Cloudflare here is configurated with static content caching.

Some BT have are defined to do matching with some particular imges name

Hi Fernando,

As you may know TIM does not support  Diffie-Hellman ciphers.

So are you seeing the cipher errors in the TIM log (with Trace option "SSL Errors" enabled)?

Are only some of the web servers using Diffie-Hellman and was that the same before Cloudflare was introduced?

Thinking about possible image caching, is the reduction in transaction volume limited to the BTs defined with matching against image names or do other BTs see the volume reduction as well?

Thanks

Lynn

Hello Lynn,

Yes, I knew that the Diffie-Hellman figures are not compatible.

Yes, this is a sample from the tim record:
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslprint: Unknown CipherSuite - 49192
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslinterface: network_process_packet: error 10 (unsupported ciphersuite), conn 76089325, package 19452351276, [172.16.83.254]: 3729 -> [172.16.80.88]: 443; ignoring more data
Wed 21 Feb 17:58:07 2018 6754 Tracking: w13: Version: TLS 1.2 CipherSuite - TLS_RSA_WITH_AES_128_CBC_SHA256 (60) [172.16.83.254]: 22955 -> [172.16.81.7]: 443
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslinterface: network_process_packet: error 9 (too many TCP data out of service in queue), conn 76081672, package 19452352727, [172.16.83.254]: 34773 -> [172.16.80.238]: 443; ignoring more data
Wed Feb 21 17:58:07 2018 6754 Trace: w13: Version: TLS 1.2 CipherSuite - Unknown (49192) [172.16.83.254]: 47712 -> [172.16.80.170]: 443
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslprint: Unknown CipherSuite - 49192
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslinterface: network_process_packet: error 10 (unsupported ciphersuite), conn 76089328, package 19452353266, [172.16.83.254]: 47712 -> [172.16.80.170]: 443; ignoring more data
Wed 21 Feb 17:58:07 2018 6754 Tracking: w13: Version: TLS 1.2 CipherSuite - Unknown (49192) [172.16.83.254]: 55689 -> [172.16.80.225]: 443
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslprint: Unknown CipherSuite - 49192
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslinterface: network_process_packet: error 10 (unsupported ciphersuite), conn 76089329, package 19452353501, [172.16.83.254]: 55689 -> [172.16.80.225]: 443; ignoring more data
Wed Feb 21 17:58:07 2018 6754 Trace: w13: Version: TLS 1.2 CipherSuite - Unknown (49192) [172.16.83.254]: 19870 -> [172.16.80.135]: 443
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslprint: Unknown CipherSuite - 49192
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslinterface: network_process_packet: error 10 (unsupported ciphersuite), conn 76089330, package 19452354164, [172.16.83.254]: 19870 -> [172.16.80.135]: 443; ignoring more data
Wed 21 Feb 17:58:07 2018 6754 Tracking: w13: Version: TLS 1.2 CipherSuite - Unknown (49192) [172.16.83.254]: 49810 -> [172.16.80.66]: 443
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslprint: Unknown CipherSuite - 49192
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslinterface: red_process_package: error 10 (cipher set not supported), conn 76089332, package 19452355197, [172.16.83.254]: 49810 -> [172.16.80.66]: 443; ignoring more data
Wed 21 Feb 17:58:07 2018 6754 Tracking: w13: Version: TLS 1.2 CipherSuite - Unknown (49192) [172.16.83.254]: 28336 -> [172.16.80.108]: 443
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslprint: Unknown CipherSuite - 49192
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslinterface: network_process_packet: error 10 (unsupported ciphersuite), conn 76089331, package 19452355218, [172.16.83.254]: 28336 -> [172.16.80.108]: 443; ignoring more data
Wed 21 Feb 17:58:07 2018 6754 Trace: w13: version: TLS 1.2 CipherSuite - TLS_RSA_WITH_AES_128_CBC_SHA256 (60) [172.16.83.254]: 35235 -> [172.16.80.244]: 443
Wed Feb 21 17:58:07 2018 6754 Trace: w13: Version: TLS 1.2 CipherSuite - TLS_RSA_WITH_AES_128_CBC_SHA256 (60) [172.16.83.254]: 14706 -> [172.16.80.244]: 443
Wed 21 Feb 17:58:07 2018 6754 Trace: w13: Version: TLS 1.2 CipherSuite - Unknown (49192) [172.16.83.254]: 40771 -> [172.16.80.150]: 443
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslprint: Unknown CipherSuite - 49192
Wed 21 Feb 17:58:07 2018 6754! Warning: w13: sslinterface: network_process_packet: error 10 (unsupported ciphersuite), conn 76089335, package 19452356538, [172.16.83.254]: 40771 -> [172.16.80.150]: 443; ignoring more data
Wed Feb 21 17:58:07 2018 6754 Trace: w13: Version: TLS 1.2 CipherSuite - TLS_RSA_WITH_AES_128_CBC_SHA256 (60) [172.16.83.254]: 15745 -> [172.16.80.243]: 443

No, all the traffic between F5 and webservers has a hand-health check with Diffie-Hellman and it was already before Cloudflare was introduced

I think the problem is not in the static content caching. Yesterday, make a test, create a copy of a BT with low volume (login to the webpage). I defined the match with my access credentials and initially counted my income, but then they were more distant counts until I stopped counting, even though I continued to login on the webpage of my customer.

Hi Fernando,

So to clarify, for your new BT the transaction count observed in CEM was less than your transaction execution count?

One useful tool for count comparison would be to use the Tim Transaction Inspection as you execute the transactions.

Thanks

Lynn

Hi Lynn,

for your question. Yes, that is correct.

Thanks 

Hi Fernando,

It is sounding more like we need to investigate your scenario in more detail via a support case so you please create a new case here: https://comm.support.ca.com/csupport/CaseManagement/cases/new

Thanks

Lynn

Thanks Lynn,

Tomorrow I will create the case. Unfortunately, the other IT areas of our customer apply changes and new technologies in the monitored applications without prior notice. And this does not allow us to quantify the impact on the tool before implementation.

Thanks to both, Lynn and Hallett

Fernando:

Not sure if it is in play here. But APM 10.3 added some settings and CDN Support for certain CDN vendors. (mainly Akamai) 

See Not Using Client IP for APM CE (CEM) Session Mappi - CA Knowledge 

Hi Hallet,

Here we have a MOM and cem collector on version 10.0.0.12, others collectors with 10.5.1.8, tommorrow I will up MOM version.

I reviewed the article and is interesting, cloudflare is a simple proxy reverse with a security layer (soft description). Whowever, my customer not have a test environment and I cant probe this cases in this environment

Thanks

Hi Fernando,

I think you would also have to upgrade TIM to be able to use the new TIM CDN property and then also upgrade CEM Collector to match TIM version.

Regards,

Lynn