Verify SM_ENABLE_TCP_KEEPALIVE is working on Web Agent - Policy Server
search cancel

Verify SM_ENABLE_TCP_KEEPALIVE is working on Web Agent - Policy Server

book

Article ID: 15634

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

How to verify SM_ENABLE_TCP_KEEPALIVE setting when there is a firewall between the Policy Server and the Web Agent?

Some errors appear in the Policy Server and Web Agent. How to know if the SM_ENABLE_TCP_KEEPALIVE works?

smps.log:

[2424828/140236688439040][Mon Apr 14 2025 11:06:18.770][CServer.cpp:2416][ERROR][sm-Server-01080] Failed to send response on session # 3188099 : <server>/10.0.1:58128. Socket error 104

WebAgent.log:


[09/13/2024][09:25:24][13304270][21589][CSmLowLevelAgent.cpp:552][IsResourceProtected][][*10.0.0.8][][<agent>][/<app>][<user>][Communication failure between SiteMinder policy server and web agent.]

There are also "Ghost" connections not detected by the Policy Server.

The connections that are cut off by the firewall are not being detected.

The Policy Server continues to show these connections in an ESTABLISHED state with no real traffic, indicating that they are "ghost" connections that have been disconnected by the firewall but remain active in SiteMinder.

Resolution

To verify TCP Keep-Alive is working, capture network trace and produce a disconnection from the Web Agent to the Policy Server.

When the server detects that the other end is disconnected, it will send the keep-alive packets, which will be seen in the network trace.

This can be done by using a firewall to set a rule to drop the requests from the Web Agent to the Policy Server when capturing the network trace.

Then, depending on the OS TCP Keep-Alive settings, packets will be seen in the network trace following the intervals set in the system.

First, verify that the environment variable is correctly set to 1 on both servers (the Policy Server side and the web Agent side) by checking the current variables:

SM_ENABLE_TCP_KEEPALIVE=1

Check the current TCP Keep-Alive OS settings (1):

# cat /proc/sys/net/ipv4/tcp_keepalive_time
7200
# cat /proc/sys/net/ipv4/tcp_keepalive_intvl
75
# cat /proc/sys/net/ipv4/tcp_keepalive_probes
9

To change any values, use echo to update the values:

# echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time

Don't change any value without consulting the sysadmin.

For more information on OS TCP Keep-Alive settings, check OS vendor documentation.

Also, remember that a restart of the services is needed after setting the SM_ENABLE_TCP_KEEPALIVE environment variable for the changes to be applied.

The Keep-Alive packets in your network traces will look like the following:

17922    10:33:21.988218    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45935 [ACK] Seq=230 Ack=155 Win=14528 Len=0 TSval=4180041061 TSecr=3010560045
17949    10:33:23.263118    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45934 [ACK] Seq=20290 Ack=1367 Win=17152 Len=0 TSval=4180042336 TSecr=3010561322
17986    10:33:25.324121    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45938 [ACK] Seq=230 Ack=155 Win=14528 Len=0 TSval=4180044397 TSecr=3010563383
17987    10:33:25.330148    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45937 [ACK] Seq=17241 Ack=230 Win=14528 Len=0 TSval=4180044403 TSecr=3010563389

When using the Wireshark tool to review the network traces, use the filter "tcp.analysis.keep_alive" to see only these packets.

Additional Information

  1. What is TCP keepalive, how do I change it and how can I tell it is enabled on a particular socket?

Powered by Wolken Software