search cancel

Error : Communication failure between SiteMinder policy server and web agent


Article ID: 108132


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



In the Web Agent traces, messages like these can be seen :

  [IsResourceProtected][Communication failure between SiteMinder policy server and web agent.]

But Users report no problems.




  - Check if there is any network interruption causing this;
  - Check if the Policy Server is shutdown or restarted:
  - If the WebAgent's SmHost.conf and HCO is pointing to a single Policy
    Server then you would be experiencing an outage at this point;
  - If there are multiple Policy Servers defined then users may not see
    any error as Loadbalance/Failover takes care of agent
    requests. However you will find these errors in the log during
    failover (1)(2)(3);
  - Check if all custom authentications are loading properly. (When
    there is a request for custom authentication and if it does not load
    properly then you can get this error as well);

  - Check if the Policy Server has problem to execute Active Expression
    and retrieve data, which can lead to a timeout. To illustrate in the
    trace log there were three separate ~20 second delays all within
    CSmActiveExpr::GetActiveValue function calls for the delayed
    transactions resulting in :

     LogMessage:ERROR:[sm-Server-02740] Failed to retreive the value.

    There were 3 active expressions. Removed them and authentication
    went through very fast.

If it is not the above, it can be due to a bad request.

In case if someone is forging a request passing invalid query
parameters such as agentname to the login.fcc, so when the Agent
sends this data to the Policy Server, the Policy Server may find this
request to be invalid and results in this error being logged (4).


Additional Information



    Error 500 : Web Agent Failing to Connect to Policy Server

      - Configure the Load Balancer able to handle properly the connections
        from the Web Agent to the Policy Servers;


    Error : Agent Api function failed with Web Agent and Load Balancer

      - To solve this issue, the idle timeout configured on the Policy
        Server should be less than the session timeout configure for any
        device between Policy Server and Web Agent (Load Balancer or
        Firewall) (1).


    Error : Web Agent reports Failover from cluster [0] to cluster [1]

      - Investigate network, load balancer and firewall and make sure that
        there's no timeout on the TCP Protocol. If there's one, make sure
        that the TCP Protocol timeout is big enough.

      - On the Web Agent and Policy Server, enable the environment variable
        SM_ENABLE_TCP_KEEPALIVE to insure that both component won't try to
        use a connection that has been terminated on the firewall or
        loadbalancer :



    Error : Cannot fetch Agent errors in smps log

      When running Web Agent and Policy Server, the Policy Server reports
      error :

      Cannot fetch agent <agent-name> agent
      Cannot fetch agent rm68mlez4nymx/84ghafegu8szctihxhazdwm36bjoffghbqrkh2akoxdischjcq
      and the request fails with error 500 in the browser. The Web Agent reports error

      Communication failure between SiteMinder policy server and web agent
      for that transaction.