Layer7 Access Management

Tech Tip - CA Single Sign-On: Webserver responded with deformed packets when webagent is enabled

By wonsa03 posted 04-18-2016 02:33 AM

  

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 18th April 2016

 

ISSUE:

Intermittently, user with expired SM session is redirected to an error page, instead of the login page.

Following error is logged in the Webagent log:

[SmApache22WebFilterCtxt.cpp:530][ERROR][sm-AgentFramework-00070] Input filter pre-fetch read error - 'Content data is not available'

Network trace logged a RST from LTM/F5.

 

CAUSE:

A policy is defined on LTM/F5 to issue RST when it detects malformed network packet – request/response that does not comply with HTTP Protocol (RFC2616), e.g: blank Content-Type.

We created a python script to POST same data to the webserver and successfully reproduced the deformed responses (blank Content-Type with the first response, followed closely with another response without headers), when Webagent is enabled.

 

Response from webserver when Webagent is enabled:

webagentenabled.PNG

Response from webserver when Webagent is disabled:

webagent.PNG

Sample python script:

script.PNG

 

RESOLUTION:

Set LegacyStreamingBehavior=yes resolved the issue.

ACO parameter -- LegacyStreamingBehavior specifies how content will be transferred to the server during POST requests.

When the value of this parameter is set to yes, all content types are streamed, except for the following:

- text/xml

- application/x-www-form-urlencoded

When the value of this parameter is set to no, all content types are spooled.

 

WORKAROUND:

Options to overcome the issue:

  • Disable POST preservation data – PreservePostData=no (Web Agent will not preserves POST data when redirecting requests to the login page)
  • Disable policy on LTM/F5 to check the HTTP request/response compliances / bypass LTM/F5
0 comments
2 views