Introduction
We often receive support cases about intermittent connectivity issues between web agent and policy servers.
Some of the symptoms of the connectivity issues between web agent and policy server are :
Web Agent log :
LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_AuthorizeEx' returned '-1'.
LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_AuthorizeEx' returned '-2'
LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_IsProtectedEx' returned '-1'.
As there could be multiple causes resulting in such connectivity issues , support needs comprehensive set of logs as discussed below to analyze such issues.
Environment
- Policy Server : ANY
- Web Agent : ANY
Instructions
1) Web Agent
- Enable Keep Alive (SM_ENABLE_TCP_KEEPALIVE=1)
How to verify if SM_ENABLE_TCP_KEEPALIVE is working?
- Enable Transport Layer Interface (TLI) Logging
When you want to examine the connections between the agent and the Policy Server, enable transport layer interface logging.
To enable TLI logging
Add the following environment variable to your web server.
Specify a directory and log file name for the value of the variable, as shown in the following example:
SM_TLI_LOG_FILE = directory_name/log_file_name.log
Verify that your agent is enabled.
Restart your web server.
TLI logging is enabled.
- Enable network capture between webserver and Policy server.
Unix :
tcpdump -i <interface> -s 65535 - w <some-file>
Where "i" is the name of the active network interface
e.g
tcpdump -i eth0 -s 65535 -w networkacapture.pcap
Windows:
Capture network traffic using wireshark
Wireshark · Go Deep.
- Enable web agent trace log. Use following profiler
components: WebAgent, AgentFramework, HTTPAgent, AgentFunc, Agent_Functions, Agent_Con_Manager, AgentAPI
data: Date, PreciseTime, Pid, Tid, TransactionID, AgentName, Resource, SrcFile, Function, User, Domain, Realm, DomainOID, IPAddr, IPPort, CertSerial, SubjectDN, IssuerDN, UserDN, SessionSpec, SessionID, Action, RealmOID, Message
- Enable web agent logs.
- Web server error and access logs
- If windows , provide Event Viewer logs.
2) Policy Server
- Enable Keep Alive (SM_ENABLE_TCP_KEEPALIVE=1)
- Enable Policy server trace log using following profiler :
Login_Logout/Receive_Request, IsAuthorized, Tunnel_Service, JavaAPI, ODBC/Sql_Statement_Begin_End, ODBC/Connection_Management, ODBC/Sql_Errors, ODBC/Connection_Monitor, LDAP/Ldap_Call_Begin_End, LDAP/Connection_Management, LDAP/Ldap_Error_Messages
data: Date, PreciseTime, Time, Pid, Tid, SrcFile, Function, TransactionID, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, AgentType, Rule, ErrorValue, ReturnValue, ErrorString, IPAddr, IPPort, Result, Returns, CallDetail, Data, Message
version: 1.1
- Enable network capture between Policy server and web server
Unix :
tcpdump -i <interface> -s 65535 - w <some-file>
Where "i" is the name of the active network interface
e.g
tcpdump -i eth0 -s 65535 -w networkacapture.pcap
Windows:
Capture network traffic using wireshark
Wireshark · Go Deep.
- Configure to run following command at interval of 2-5 minutes using windows scheduler or chron job in unix. The stats are captured in smps.log :
smpolicysrv -stats