Imperva gateway reboots when primary CPM is physically reseated,
Article ID: 167825
XOS 9.6.x/SSGW 8.0/SSGW 9.0
When the primary CPM is pulled out, Imperva APMs(s) crashe when the original primary CPM is reseated in the chassis. The APM crash is seen in the /crossbeam/logs/cbsoops directory if the APM(s). /Similar behaviour is not seen when during the following activities:
reload <slot # of APM>
Power-cycling the chassis
The bug is indeed some Linux kernel bug, that happens when TCP timestamps are disabled. Imperva disables TCP timestamps in impctl when doing “impctl gateway start –prepare”. Imperva disables TCP timestamps since Sep. 2011 as a fix to avoid communication issues with certain versions of AIX database agents.
To recreate the crash without SecureSphere, do the following command on the APM and pull out the CPM:
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
Imperva has provided a patch that does not disable TCP timestamps on Crossbeam platforms. Please contact Imperva support for the patch for the gateway and apply the patch to the MX server if required. Imperva Bug number: 43483
As an immediate fix for the customer you can comment the command below from /opt/SecureSphere/etc/impctl/lib/gateway.sh on all APMs that run SecureSphere.