search cancel

Errors in Policy Server smps.log explanations

book

Article ID: 202190

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

How to avoid the following messages in the smps.log :

 1. Error# '81' during search: 'error: Can't contact LDAP server'
    Search Query =
    '(&(uid=****)(objectclass=****)(!(myType=***)))'

 2. Failed to initialize TCP client connection. Socket error 107
 
 3. [sm-Server-06007] failed. Error code : 2

 4. [sm-Ldap-00770] (AuthenticateUser) DN: 'cn=***,ou=Users,o=****,c=us' . 
    Status: Error 48 . Inappropriate authentication

 5. Bad security handshake attempt. Handshake error: 3154

 

Environment

 

Policy Server 12.8SP3 on RedHat 7

 

Resolution

 

Here are the possible ways to investigate  each error :

1. This error might appear if the LDAP User Directory closes the
   connection (1).

2. This issue happens when the Web Agent closes the connection and
 Policy Server has not received the info to close the connection (2).

   To help prevent that, you might consider to implement
   SM_ENABLE_TCP_KEEPALIVE (3).

3. This error means that the data is not found in the Session Store
   (4).

   This error message might appear if there's a mixture of persistent
   and non persistent-realms in your environment (5).

4. Investigate with the LDAP vendor the reasons of this. Maybe a
   configuration problem on LDAP side (6).

5. This error means that the share secret and / or the agent name
   doesn't match with the values from the Policy Store for that given
   Agent. Usually, solution is to register the Agent again
   (7)(8)(9)(10)(11).

 

Additional Information

 

(1)

    Error : '81' during search: 'error: Can't contact LDAP server'
    
      To avoid this message, configure the LDAP Backend Store to never
      close its connection with the Policy Server.

    https://knowledge.broadcom.com/external/article?articleId=8010

(2)

    Failed to initialize TCP client connection. Socket error 107

      In almost all cases, the Socket error 107 occurs due to an external
      network issue. It means "Transport endpoint is not
      connected". Basically, the communication between the Policy Server
      and the Agent was lost.

    https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=770244#:~:text=Hi%20Stefano%2C-,In%20almost%20all%20cases%2C%20the%20Socket%20error%20107%20occurs%20due,is%20interfering%20in%20the%20network.

(3)

    Policy Server Hangs after Web Agent Communication Failure

      If a Web Agent goes offline during a Policy Server request, for
      example, during a network outage, and does not notify the Policy
      Server of the communication failure, the Policy Server continues
      to wait for the Web Agent data. The Policy Server continues to
      wait, even after the Web Agent regains network functionality and
      closes the connection to the Policy Server.

      To configure the Policy Server to send KeepAlive packets to idle
      Web Agent connections

      Log into the Policy Server host system.  Do one of the
      following:

      (Windows) Create the following system environment variable with
      a value of 1: SM_ENABLE_TCP_KEEPALIVE

      (UNIX) Create the following system environment variable:
      SM_ENABLE_TCP_KEEPALIVE=1

      Export the environment variable.

      The value must be 0 (disabled) or 1 (enabled). If a value other
      than 0 or 1 is configured, the environment variable is
      disabled. If the environment variable is disabled, the Policy
      Server does not send KeepAlive packets to idle Web Agent
      connections.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/troubleshooting/policy-server-troubleshooting.html

(4)

    failed with code - 1001 erors post R12.8 upgrade

      Error code 2 shows there was an issue when the policy server
      trying to get the session from the session store. It searched in
      the session store but it couldn't find the session in the
      store. It may be a bad input for the search at the session
      store. You can get more details on the policy server trace
      (smtracedefault.log) log file on what was the search query that
      was sent to the session store.

    https://knowledge.broadcom.com/external/article?articleId=142166

(5)

    SAML federation via IWA Sessionstore problem

      Check if the realms a all persistents and decide if persistency
      is needed or not. Having a mixture of persistent and
      non-persistent realms can provoke this error. Remove also all
      SLO configuration that are not is use.

    https://knowledge.broadcom.com/external/article?articleId=143417

(6)

    LDAP Result Code Reference: Core LDAPv3 Result Codes

      inappropriateAuthentication (48)
      Applicable operation types: bind

      The inappropriateAuthentication result code indicates that the
      client attempted to bind in an inappropriate manner that is
      inappropriate for the target account. Some possible reasons for
      this result code include:

      The client attempted to perform anonymous authentication, but
      the server does not permit anonymous authentication.

      The client attempted to perform a type of authentication for
      which the target account does not have an appropriate set of
      credentials. For example, this result code may be returned if a
      client attempts to perform a password-based bind when the target
      user s entry does not contain a password.

      The client attempted to perform a type of authentication that is
      not allowed for that client. For example, the client attempted
      to perform a lower-security type of authentication (like simple
      authentication or SASL PLAIN) when a stronger method (e.g., a
      client certificate or a two-factor mechanism) is required.

   https://ldap.com/ldap-result-code-reference-core-ldapv3-result-codes/#rc-inappropriateAuthentication

(7)


   
  What are the possible handshake errors in policy server?

    Bad security handshake attempt. Handshake error: 3154 - Client
    name does not match hash value - Shared secret sent by the agent
    is not correct/valid
 
  https://knowledge.broadcom.com/external/article?articleId=42071

(8)


  
  LLAWP will not load
  
    Running smreghost to re-register the agent should resolve this issue. 

  https://knowledge.broadcom.com/external/article?articleId=4334

(9)


  
  Bad security handshake attempt. Handshake error: 3154
  https://knowledge.broadcom.com/external/article?articleId=191412

(10)

  
  Policy server not able to connect with webservices instance
  https://knowledge.broadcom.com/external/article?articleId=197525

(11)

  
  Handshake error when using SM Test Tool from a different box
  https://knowledge.broadcom.com/external/article?articleId=16721