Layer7 Access Management

Tech Tip : CA Single Sign-On :: Web Agent::How to troubleshoot intermittent connectivity issues between Webagent and Policy servers ?

By Ujwol posted 02-05-2018 07:32 PM

  

Introduction

We often receive support cases about intermittent connectivity issues between web agent and policy servers.

Some of the symptoms of the connectivity issues between web agent and policy server are :

 

Web Agent log :

LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_AuthorizeEx' returned '-1'.

LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_AuthorizeEx' returned '-2'

LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_IsProtectedEx' returned '-1'.

 

As there could be multiple causes resulting in such connectivity issues , support needs comprehensive set of logs as discussed below to analyze such issues. 

Environment

  • Policy Server : ANY
  • Web Agent : ANY

Instructions

 

1) Web Agent

 

  • Enable Keep Alive (SM_ENABLE_TCP_KEEPALIVE=1)

How to verify if SM_ENABLE_TCP_KEEPALIVE is working? 

  • Enable Transport Layer Interface (TLI) Logging

When you want to examine the connections between the agent and the Policy Server, enable transport layer interface logging.

To enable TLI logging

Add the following environment variable to your web server.

Specify a directory and log file name for the value of the variable, as shown in the following example:

SM_TLI_LOG_FILE = directory_name/log_file_name.log

Verify that your agent is enabled.

Restart your web server.
TLI logging is enabled.

  • Enable network capture between webserver and Policy server.

Unix :

tcpdump -i <interface> -s 65535 - w <some-file>

Where "i" is the name of the active network interface
e.g
tcpdump -i eth0 -s 65535 -w networkacapture.pcap

Windows:

Capture network traffic using wireshark

Wireshark · Go Deep. 

 

  • Enable web agent trace log. Use following profiler 
components: WebAgent, AgentFramework, HTTPAgent, AgentFunc, Agent_Functions, Agent_Con_Manager, AgentAPI
data: Date, PreciseTime, Pid, Tid, TransactionID, AgentName, Resource, SrcFile, Function, User, Domain, Realm, DomainOID, IPAddr, IPPort, CertSerial, SubjectDN, IssuerDN, UserDN, SessionSpec, SessionID, Action, RealmOID, Message
  • Enable web agent logs.
  • Web server error and access logs
  • If windows , provide Event Viewer logs.

 

2) Policy Server

  • Enable Keep Alive (SM_ENABLE_TCP_KEEPALIVE=1)
  • Enable Policy server trace log using following profiler :
Login_Logout/Receive_Request, IsAuthorized, Tunnel_Service, JavaAPI, ODBC/Sql_Statement_Begin_End, ODBC/Connection_Management, ODBC/Sql_Errors, ODBC/Connection_Monitor, LDAP/Ldap_Call_Begin_End, LDAP/Connection_Management, LDAP/Ldap_Error_Messages
data: Date, PreciseTime, Time, Pid, Tid, SrcFile, Function, TransactionID, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, AgentType, Rule, ErrorValue, ReturnValue, ErrorString, IPAddr, IPPort, Result, Returns, CallDetail, Data, Message
version: 1.1
  • Enable network capture between Policy server and web server

Unix :

tcpdump -i <interface> -s 65535 - w <some-file>

Where "i" is the name of the active network interface
e.g 
tcpdump -i eth0 -s 65535 -w networkacapture.pcap

Windows:

Capture network traffic using wireshark

Wireshark · Go Deep. 

  • Configure to run following command at interval of 2-5 minutes using windows scheduler or chron job in unix. The stats are captured in smps.log :
    smpolicysrv -stats 
0 comments
1 view