Gateway is already part of the jGroups cluster. Join rejected
search cancel

Gateway is already part of the jGroups cluster. Join rejected

book

Article ID: 42973

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Solution

Background

The functionality of jGroups is to facilitate the multicast replay protection capabilities of the SecureSpan Gateway (SSG). In order to enforce such protection, each SSG node in a cluster must be registered with the jGroups cluster. If a node attempts to utilize an existing multicast address, its attempts to join the jGroups cluster will be denied.

Presentation

When a Gateway node is denied access to the jGroups cluster, the immediate symptom will be an inability to start. Within the node's /opt/SecureSpan/Gateway/node/default/var/logs/ssg_0_0.log file will be the following entry:

WARNING: Caused by: java.lang.SecurityException: member 192.168.1.2:7001 is already part of the group, JOIN request is rejected

Note that the value "192.168.1.2" will vary based upon implementation.

Resolution

Self-Repair

jGroups is designed to eventually resolve addressing conflicts on its own. After a period of time, the impacted node will choose a new address without intervention from an operator or administrator. If this is not desirable, you can proceed to resolve the conflict manually.

Conflict Resolution

Resolving an addressing conflict requires access to the privileged shell of the Gateway. Please execute the following procedure to manually resolve addressing conflicts.

1. Determine the jGroups cluster master by running this command on a database node.
# mysql ssg -e "select cluster_info.address from cluster_master, cluster_info where cluster_info.nodeid = cluster_master.nodeid;"
NOTE: The jGroups cluster master is not the same as the MySQL replication master.

2. Restart the SSG node serving as the jGroups cluster master.
NOTE: Do not continue until the previous step is complete.

3. Restart the impacted node unable to join the jGroups cluster.

Both nodes should successfully join the jGroups cluster without issues. If the issue persists, please contact Layer 7 Technologies Technical Support.

Workaround

The jGroups implementation exists solely to facilitate multicast replay protection. If replay-related assertions or functionality are not in use on the Gateway and you are seeing this error consistently, you may choose to disable multicast replay protection via the cluster-wide property "cluster.replayProtection.multicast.enabled". To disable replay protection, set this cluster-wide property to "false."

?

Environment

Release:
Component: APIGTW