Verify SM_ENABLE_TCP_KEEPALIVE is working on Web Agent - Policy Server
search cancel

Verify SM_ENABLE_TCP_KEEPALIVE is working on Web Agent - Policy Server

book

Article ID: 15634

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

How to verify the SM_ENABLE_TCP_KEEPALIVE setting when there is a firewall between the Policy Server and the Web Agent?

Environment

 

Web Agent R12.X on RedHat
Policy Server R12.X on RedHat

 

Resolution

In order to verify TCP Keep-Alive is working, capture network trace and produce a disconnection from the Web Agent to the Policy Server. When the server detects the other end is disconnected, it will send the keep-alive packets which will be seen in the network trace.

This can be done by using firewall to set a rule to drop the requests from the Web Agent to the Policy Server when capturing the network trace. Then, depending on the OS TCP Keep-Alive settings, packets will be seen in the network trace following the intervals set in the system.

First, verify that the environment variable is correctly set to 1 in both servers (the policy server side and the web agent side) by checking the current variables:

  SM_ENABLE_TCP_KEEPALIVE=1

Check the current TCP Keep-Alive OS settings:

  # cat /proc/sys/net/ipv4/tcp_keepalive_time
  7200
  # cat /proc/sys/net/ipv4/tcp_keepalive_intvl
  75
  # cat /proc/sys/net/ipv4/tcp_keepalive_probes
  9

If need to change any values, use echo to update the values:

# echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time

Don't change any value without consulting the sysadmin. For more information on OS TCP Keep-Alive settings, check OS vendor documentation.

Also, remember that a restart of the services is needed after setting the SM_ENABLE_TCP_KEEPALIVE environment variable for the changes to be applied.

The Keep-Alive packets in your network traces will look like the following:

  17922    10:33:21.988218    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45935 [ACK] Seq=230 Ack=155 Win=14528 Len=0 TSval=4180041061 TSecr=3010560045
  17949    10:33:23.263118    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45934 [ACK] Seq=20290 Ack=1367 Win=17152 Len=0 TSval=4180042336 TSecr=3010561322
  17986    10:33:25.324121    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45938 [ACK] Seq=230 Ack=155 Win=14528 Len=0 TSval=4180044397 TSecr=3010563383
  17987    10:33:25.330148    <PS IP>    <WA IP>    TCP    66    [TCP Keep-Alive] 44443 → 45937 [ACK] Seq=17241 Ack=230 Win=14528 Len=0 TSval=4180044403 TSecr=3010563389

When using the WireShark tool to review the network traces, use the filter "tcp.analysis.keep_alive" to see only these packets.

 

Additional Information

Document reference:

    RedHat Support Portal - TCP Keep Alive
    https://access.redhat.com/solutions/19029

 

Powered by Wolken Software