search cancel

Error : 500 Web Agent and Policy Server Network Communication Problem

book

Article ID: 42108

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

When running a Web Agent, this one went offline during a Policy Server
request. This made an outage on the Policy Server.

To illustrate, this happened during a network outage or due to a
network component failure. 

Consequently, the Web Agent can’t notify the Policy Server of the
communication failure, and the Policy Server continues to wait for the
Web Agent data. With multiple requests from one or more Web Agents are
lost in this manner, the Policy Server can become unresponsive because
the worker threads handling the requests are not released. The
symptoms have been seen in the Policy Server logs in the form of
failed authentications, authorizations, or, also, as increasing
connections queues.

Also, as there was a firewall between the Web Agent and the Policy
Server, the agent returns a 500 error when accessing a page.

 

Environment

 

Policy Server all supported versions;
Web Agents since 12.51

 

Resolution

 

In R6SP6, R12 SP3, R12.5x, R12.6-7-8 and above, you can create and
enable the SiteMinder Enable TCP Keep Alive, SM_ENABLE_TCP_KEEPALIVE
environment variable. This variable allow the Policy Server to send
KeepAlive packets to what appears to the Policy Server as idle Web
Agent connections (1)(2).

The initial wait period and the frequency or interval at which the
Server sends the packets is based on OS–specific, configurable TCP/IP
parameters:

  - When the Server must start to send the packets;
  - The number of times the Policy Server sends the packets before
    determining that the Web Agent connection is lost;
  - The interval at which the Policy Server sends the packets;

For more information about configuring TCP/IP parameters, see your
OS–specific documentation.

To configure the Policy Server to send KeepAlive packets to idle Web
Agent connections, log into the Policy Server host system and do one
of the following:

- (Windows) Create the following system environment variable with a
  value of 1:

  SM_ENABLE_TCP_KEEPALIVE

- (UNIX)

a. Create the following system environment variable:

   SM_ENABLE_TCP_KEEPALIVE=1

b. Export the environment variable.

Note: The value must be 0 (disabled) or 1 (enabled). If a value other
than 0 or 1 is configured, the environment variable is disabled. If
the environment variable is disabled, the Policy Server does not send
KeepAlive packets to idle Web Agent connections.

Subsequently, in 6SP6CR8 and in R12SP3CR8, another related fix was
introduced to improve the connection management mechanism further. If
a Policy Server thread hangs in TCP recv(), it doesn't respond to
requests. This is because a thread, that has taken a read lock, is
waiting on recv() and another thread waiting on the write lock. Since
write lock request is pending, all other threads waiting for read lock
won't be granted access. This situation gets resolved when recv() call
returns and Policy Server recovers.

Also, R12.51 Web Agent Release Notes mentions “Enable KeepAlives When
Agents and Policy Servers are Separated a Firewall.” When there’s a
firewall between agent and Policy Server, and the agent returns a 500
error when accessing a page, set SM_ENABLE_TCP_KEEPALIVE on the agent
by following the above steps for Windows and Unix operating systems.

In addition, since R12.52, this variable is recommended to be set at
the locations for an Application Server Agent (ASA), the
Administrative UI, or a custom agent created by the SDK.

 

Additional Information

 

(1)

    Enable KeepAlives When Agents and Policy Servers are Separated a Firewall
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/troubleshooting/troubleshooting-agent-configuration.html#concept.dita_ced747b41aeeef2733e253382031ce62bf99d4dc_EnableKeepAlivesWhenAgentsandPolicyServersareSeparatedaFirewall

(2)

  
    Policy Server Hangs after Web Agent Communication Failure
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/troubleshooting/policy-server-troubleshooting.html#concept.dita_4ef5c74b37b40cf964708a51a4e44a83bb5e4f34_AgentApiFunctionFailsWhenLoadBalancerisIntroducedBetweenAgentandPolicyServer