Verify SM_ENABLE_TCP_KEEPALIVE is working on Web Agent - Policy Server
search cancel

Verify SM_ENABLE_TCP_KEEPALIVE is working on Web Agent - Policy Server

book

Article ID: 15634

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

How to verify SM_ENABLE_TCP_KEEPALIVE setting when there is a firewall between the Policy Server and the Web Agent?

Resolution

To verify TCP Keep-Alive is working, capture network trace and produce a disconnection from the Web Agent to the Policy Server.

When the server detects that the other end is disconnected, it will send the keep-alive packets, which will be seen in the network trace.

This can be done by using a firewall to set a rule to drop the requests from the Web Agent to the Policy Server when capturing the network trace.

Then, depending on the OS TCP Keep-Alive settings, packets will be seen in the network trace following the intervals set in the system.

First, verify that the environment variable is correctly set to 1 on both servers (the Policy Server side and the web Agent side) by checking the current variables:

SM_ENABLE_TCP_KEEPALIVE=1

Check the current TCP Keep-Alive OS settings (1):

# cat /proc/sys/net/ipv4/tcp_keepalive_time
7200
# cat /proc/sys/net/ipv4/tcp_keepalive_intvl
75
# cat /proc/sys/net/ipv4/tcp_keepalive_probes
9

To change any values, use echo to update the values:

# echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time

Don't change any value without consulting the sysadmin.

For more information on OS TCP Keep-Alive settings, check OS vendor documentation.

Also, remember that a restart of the services is needed after setting the SM_ENABLE_TCP_KEEPALIVE environment variable for the changes to be applied.

The Keep-Alive packets in your network traces will look like the following:

17922    10:33:21.988218    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45935 [ACK] Seq=230 Ack=155 Win=14528 Len=0 TSval=4180041061 TSecr=3010560045
17949    10:33:23.263118    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45934 [ACK] Seq=20290 Ack=1367 Win=17152 Len=0 TSval=4180042336 TSecr=3010561322
17986    10:33:25.324121    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45938 [ACK] Seq=230 Ack=155 Win=14528 Len=0 TSval=4180044397 TSecr=3010563383
17987    10:33:25.330148    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45937 [ACK] Seq=17241 Ack=230 Win=14528 Len=0 TSval=4180044403 TSecr=3010563389

When using the Wireshark tool to review the network traces, use the filter "tcp.analysis.keep_alive" to see only these packets.

Additional Information

Powered by Wolken Software