Imperva gateway reboots when primary CPM is physically reseated,

book

Article ID: 167825

calendar_today

Updated On:

Products

XOS

Issue/Introduction

XOS 9.6.x/SSGW 8.0/SSGW 9.0

When the primary CPM is pulled out, Imperva APMs(s) crashe when the original primary CPM is reseated in the chassis.
The APM crash is seen in the /crossbeam/logs/cbsoops directory if the APM(s).
/Similar behaviour is not seen when during the following activities:

  1. reload all

  2. reload <slot # of APM>

  3. Power-cycling the chassis

Cause

The bug is indeed some Linux kernel bug, that happens when TCP timestamps are disabled.
Imperva disables TCP timestamps in impctl when doing “impctl gateway start –prepare”.
Imperva disables TCP timestamps since Sep. 2011 as a fix to avoid communication issues with certain versions of AIX database agents.
 
To recreate the crash without SecureSphere, do the following command on the APM and pull out the CPM:
 
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
 

Resolution

Imperva has provided a patch that does not disable TCP timestamps on Crossbeam platforms.
Please contact Imperva support for the patch for the gateway and apply the patch to the MX server if required.
Imperva Bug number: 43483

Workaround

As an immediate fix for the customer you can comment the command below from /opt/SecureSphere/etc/impctl/lib/gateway.sh on all APMs that run SecureSphere.


echo 0 > /proc/sys/net/ipv4/tcp_timestamps