search cancel

Verify SM_ENABLE_TCP_KEEPALIVE is working on Web Agent - Policy Server

book

Article ID: 15634

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

Enabling SM_ENABLE_TCP_KEEPALIVE by setting the environment variables.
How to verify it is working properly, as there's a firewall in between
the Policy Server and the Web Agent ?

TCP Keep Alive is enabled at the OS level.

 

Environment

 

Web Agent R12.X on RedHat
Policy Server R12.X on RedHat

 

Resolution

 

In order to verify TCP Keep Alive is working, capture network traces
and produce a disconnection from the Web Agent to the Policy
Server. When the server detects the other end is disconnected, it will
send the keep alive packets which will be seen in the network trace.

This can be done easier by using your firewall to set a rule to drop
the requests from the Web Agent to the Policy Server when capturing
the network traces. Then, depending on the OS TCP Keep Alive settings,
packets will be seend sending in the network traces following the
intervals set in the system.

First, verify that the environment variable is correctly set to 1 in
both servers by checking the current variables:

  SM_ENABLE_TCP_KEEPALIVE=1

Check the current TCP Keep Alive OS settings to know for example the
current interval, so you can see what to expect on the network traces:

  # cat /proc/sys/net/ipv4/tcp_keepalive_time
  7200
  # cat /proc/sys/net/ipv4/tcp_keepalive_intvl
  75
  # cat /proc/sys/net/ipv4/tcp_keepalive_probes
  9

If need to change any values, echo the new one:

# echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time

Don't change any value without consulting the sysadmin. For more
information on OS TCP Keep Alive settings, check OS vendor
documentation (1).

Also, remember that a restart of the services is needed after setting
the SM_ENABLE_TCP_KEEPALIVE environment variable for the changes to be
applied.

The Keep Alive packets in your network traces will look like the
following:

  17922    10:33:21.988218    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45935 [ACK] Seq=230 Ack=155 Win=14528 Len=0 TSval=4180041061 TSecr=3010560045
  17949    10:33:23.263118    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45934 [ACK] Seq=20290 Ack=1367 Win=17152 Len=0 TSval=4180042336 TSecr=3010561322
  17986    10:33:25.324121    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45938 [ACK] Seq=230 Ack=155 Win=14528 Len=0 TSval=4180044397 TSecr=3010563383
  17987    10:33:25.330148    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45937 [ACK] Seq=17241 Ack=230 Win=14528 Len=0 TSval=4180044403 TSecr=3010563389

When using WireShark tool to review the network traces, use the filter
"tcp.analysis.keep_alive" to see only these packets.

 

Additional Information

 

(1)

    RedHat Support Portal - TCP Keep Alive
    https://access.redhat.com/solutions/19029