Access Gateway cannot start up due to wrong setting on MTU
search cancel

Access Gateway cannot start up due to wrong setting on MTU

book

Article ID: 420096

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

Access Gateway server is migrated from one environment to another, keep the hostname, IP, etc.

Web agent log:

[17675/47915922847488][Wed Nov 26 2025 18:55:49.460][SmPlugin.cpp:66][INFO][sm-AgentFramework-00170] Agent Framework plug-in 'SM_WAF_HTTP_PLUGIN' initialized.  Description 'SiteMinder Agent HTTP Plug-in'.
[17675/47915922847488][Wed Nov 26 2025 18:55:49.461][SmPlugin.cpp:66][INFO][sm-AgentFramework-00170] Agent Framework plug-in 'SM_WAF_AG_PLUGIN' initialized.  Description 'CA Access Gateway Plug-in'.
[17675/47915922847488][Wed Nov 26 2025 18:55:49.461][SmPlugin.cpp:66][INFO][sm-AgentFramework-00170] Agent Framework plug-in 'SM_WAF_SAMLDATA_PLUGIN' initialized.  Description 'SiteMinder Agent SAML Data Plug-in'.
[17675/47915922847488][Wed Nov 26 2025 18:59:49.661][CSmAgentApiBase.cpp:641][ERROR][sm-AgentFramework-00810] API: SiteMinder Agent Api function failed - 'Sm_AgentApi_DoManagement' returned '-2'.
[17675/47915922847488][Wed Nov 26 2025 18:59:49.661][CSmAdminManager.cpp:975][WARNING][sm-AgentFramework-00340] ADMIN: DoManagement failed.  Agent unable to process possible management events.
[17675/47915922847488][Wed Nov 26 2025 18:59:49.661][CSmAdminManager.cpp:1028][ERROR][sm-AgentFramework-00930] ADMIN: Could not set encryption context during initialization.
[17675/47915922847488][Wed Nov 26 2025 18:59:49.661][CSmHighLevelAgent.cpp:122][ERROR][sm-AgentFramework-00400] HLA: Failed to initialize 'Administration Manager'.
[17675/47915922847488][Wed Nov 26 2025 18:59:49.661][SmPlugin.cpp:103][INFO][sm-AgentFramework-00180] Agent Framework plug-in 'SM_WAF_HTTP_PLUGIN' shutdown.
[17675/47915922847488][Wed Nov 26 2025 18:59:49.661][SmPlugin.cpp:103][INFO][sm-AgentFramework-00180] Agent Framework plug-in 'SM_WAF_AG_PLUGIN' shutdown.
[17675/47915922847488][Wed Nov 26 2025 18:59:49.661][SmPlugin.cpp:103][INFO][sm-AgentFramework-00180] Agent Framework plug-in 'SM_WAF_SAMLDATA_PLUGIN' shutdown.

 

Cause

The web agent log indicates communication timeout (reaching the RequestTimeout x (number of PS)).

The agent is able to download HCO/ACO and generate logs but only fails at fetching the agent keys.

Policy server side didn't show useful info.

The team finally find out it's due the MTU size mismatch -- If a device sends a packet that exceeds the MTU of the next network hop, and if the "don't fragment" (DF) bit is set, fragmentation cannot occur, then that hop will discard the packet, leading to a silent failure where the sender receives no response, often resulting in frozen applications or timeouts.

Resolution

Configure proper MTU.

Example: 

netsh interface ipv4 set subinterface "Ethernet" mtu=1398
Powered by Wolken Software