Layer7 Access Management

Expand all | Collapse all

Siteminder web agent is unable to intercept Traffic on IIS 7.5

Jump to Best Answer
  • 1.  Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 05-02-2016 03:06 PM

    Hello All,

     

    I installed Siteminder web agent 64-bit on IIS 7.5 and I see LLAWP process is running on Task manager and I dont see any error messages inside the Event viewer (Application logs). But still the Siteminder web agent is unable to intercept the Traffic. Can someone help me in resolving this problem would be appreciated.

     

    Back ground details :

    Operating System : Windows server 2008 R2 Standard (64 bit)

    IIS version : 7.5

    Siteminder web agent version :

    FullVersion=12.0.300.256

    Version=12QMR3

    Update=00

    Build Number=256

    Web agent installation Package Name:

    ca-wa-12.0-sp3-win64

    Process running inside the Task Manager:

    LLAWP.exe

     

    Thank you,

    Naveen



  • 2.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 05-02-2016 06:56 PM

    Hi,

     

    Please check if the webagent ISAPI filters, modules and handler mappings are added at the web site level. Also, ensure that the ISAPI extension is allowed from the server level.



  • 3.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 05-03-2016 04:07 AM

    Hello Naveen,

     

    For the 12.0 SP3.x version, the installer for webagent for iis should have "iis" in the installer:

     

    Example:  sm-wa-iis-12.0-sp3-cr012-win64.zip

     

    The installer (smwa-12.0-sp3-cr012-win64.zip) should be used for cases where you have apache for Windows implementations.

     

    If you confirm that you did not use the right installer, then try using the right installer, and then check the results.

     

    Thanks,

     

    Osarobo



  • 4.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 05-03-2016 11:31 AM

    Osarobo ,

     

    Thanks for the quick response all of you

     

    we are having a installation file sm-wa-iis-12.0-sp3-cr012-win64.zip with this name. but I actually installed smwa-12.0-sp3-cr012-win64.zip this one. I will uninstall the existing one and install the new package. even though I installed the wrong web agent package but I am still seeing the LLAWP process is running on the task manager, So that's the reason I am bit of confused?

     

     

     

    Thank you,

    Naveen



  • 5.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 05-03-2016 12:57 PM

    If you stop IIS (iisreset /stop) does the LLAWP.exe process stop?

     

    If not, then kill the LLAWP.exe process. 



  • 6.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 05-03-2016 02:15 PM

    Lavst01 ,

     

    1) If you stop IIS (iisreset /stop) does the LLAWP.exe process stop?

         No LLAWP.exe process keeps on running after the iisreset / stop. So I manually ended the process. The LLAWP process is not showing up until I access the Default website (Browse *:80 http)

     

    Thank you,

    Naveen



  • 7.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 05-03-2016 03:31 PM

    The LLAWP.exe process is a child process of w3wp.exe (IIS).  The LLAWP.exe process won't start until the first GET against a resource in the website where the web agent is configured (obviously, that is provided the web agent is enabled).  So, I would not expect LLAWP.exe to start when IIS is started, but I would expect it to start after performing a GET against a resource in a web site in which the web agent is configured.  So that part is working properly.

     

    However, when you stop IIS, the w3wp.exe process will stop and any child processes tied to that parent e.g.. LLAWP.exe) will be stopped as well.  If you stop IIS, and after a reasonable amount of time, the LLAWP process didn't stop, that would indicate that the LLAWP process was orphaned.  In other words, the running w3wp.exe process was not the parent which invoked the currently running LLAWP.exe process.  Therefore it is not one of its children.  This means that at some point, IIS was started which spawned a w3wp.exe process.  A GET was submitted to the resource and the w3wp process started LLAWP.exe.  At some point w3wp was stopped, but the LLAWP child process tied to that w3wp PID was not.

     

    You cannot run multiple LLAWP processes concurrently.  The next time around, the w3wp process was started.  Another GET was submitted.  w3wp spawned LLAWP.  However, the new LLAWP process found an existing LLAWP process already running, so it stopped.  The orphaned llawp process remains running.

     

    If you stop IIS, then kill the orphaned LLAWP process, then restart IIS and perform a GET, if the new LLAWP process is spawned, I'll assume things are working properly now.

     

    If this is the case, then go into the Application Pool and set "DisallowOverlappingRotation = TRUE", then restart IIS.  This shoudl prevent this issue from occurring in the future.  In addition, is you are manually restarting IIS, then use (IISRESET /STOP), then wait for w3wp and LLAWP processes to stop.  Then run (IISRESET /START). This will ensure a complete shutdown and restart.

     

    This issue can occur under two conditions:

     

    1) Application Pool recycles using a graceful restart.  This means the process is instructed to complete its transaction prior to shutting down.  On a busy web server, this can cause the LLAWP process to remain running while the new w3wp process is actually coming back online.  If the new w3wp invokes a new LLAWP and the new LLAWP finds the old LLAWP the new LLAWP will stop and the old LLAWP becomes orphaned and runs perptually until it is killed or the server is restarted.  Setting "DisallowOverlappingRotation = TRUE will prevent this from occurring.

     

    2) If you run IISRESET, this executes a graceful restart as well.  It is recommended that you run IISRESET /STOP, then wait for w3wp and LLAWP processes to stop, then stat IIS by running IISREST /START.  I would do this even if you have 'DisallowOverlappingRotation = TRUE'

     

    Set DisallowOverlappingRotation = TRUE in the Application Pool and perform a full stop and start of IIS and you should avoid this condition.



  • 8.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 05-03-2016 04:50 PM

    LAVST01 ,

     

    The LLAWP.exe process is running successfully on the Task manger when we access the Application, we accidentally forgot to declare the location of the TraceConfigFile location inside the ACO parameters. I made that change inside the ACO and the web agent started intercepting the Traffic and writing the logs on the Trace file.

     

    Application is running on port 8001. But the web agent is only configured to intercept the traffic on the default port 80. we are working on changing the Advanced setting inside the IIS manager, so the web agent starts intercepting the traffic on port 8001.

     

    please let me know if you have any thoughts on this configuration. Thanks for the Information about the LLAWP.exe that you shared, That's really helpful for understanding about the process.

     

    Thank you,

    Naveen



  • 9.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 05-04-2016 03:39 PM

    How did you configure the Web Agent to only intercept traffic on tcp port 80 while the resource is listening on tcp port 8001?



  • 10.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 05-03-2016 10:13 AM

    Are you generating Agent Logs and/or Agent Traces? 

    If you stop IIS (iisreset /stop) does the LLAWP.exe process stop? 

    Are you seeing errors in the Windows Application and/or System Event Logs?



  • 11.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 05-31-2016 10:02 AM

    the IIS only agent in the 12.0 sp3 line allows 32 and 64 bit iis app pools. if you only have 64 bit the other agent was capable of doing what you need.

     

    there are a number of items to check, such as:

    • integrated v classic
    • level on which  the module (integrated) or handler and filter (classic) are at
    • module/filter and handler processing order (are they first? they should be!)
    • etc


  • 12.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 06-06-2016 11:12 AM

    Hello All,

    Upon CA recommendation I am using ca-wa-iis-12.0-sp3-win64.exe software package. I am able to install and configure the Siteminder web agent and LLAWP process is running. I made the Siteminder Agent as first entry on ISAPI filters.

     

    The Application I am trying to protect is 32-bit Application, So on the ISAPI filters I made Siteminder Agent-32 as first entry and in the handler mappings handler-wa-32 is the First entry.

     

    When I tried to hit the Application I am getting 500.19 error and the error messages:

    5: <handlers accessPolicy="Read, Execute, Script">

        6: <add name="handler-wa-32" path="*" verb="*" modules="IsapiModule" scriptProcessor="D:\CA\SiteMinder\webagent\win32\bin\ISAPI6WebAgent.dll" resourceType="Unspecified" requireAccess="None" preCondition="classicMode,bitness32" />

        7: <add name="CASiteMinderWebAgentHandler-fcc-32" path="*.fcc" verb="*" modules="CASiteMinderWebagentModule-32" resourceType="Unspecified" preCondition="integratedMode,bitness32" />

     

    Config error:

    Cannot add duplicate collection entry of type 'add' with unique key attribute

    'name' set to 'handler-wa-32'

     

    Please let me if you have any questions?



  • 13.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 06-06-2016 11:17 AM

    did you change web agents?

    if so, did you remember to remove the old configuration before uninstalling?

    if not, how many times have you run the wizard?

     

    my advice: reset IIS to factory defaults, then reconfigure



  • 14.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 06-06-2016 11:28 AM

    Josh ,

     

    I changed the web agents specific to IIS.

    Yes I removed the Old configuration.

    I run the installation wizard so many times.

    I can reset the IIS to factory defaults and reconfigure the IIS Agent back. Thank you for the quick response Josh

     

    Thank you,

    Naveen



  • 15.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 06-06-2016 03:01 PM

    Josh ,

    Installed the Siteminder web agent for IIS on brand new server (Web agent never installed on that box). Still getting the same error when accessing the Siteminder protected Application.

     

    Thank you,

    Naveen



  • 16.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 06-06-2016 03:04 PM

    how many times did you run the configuration wizard?

     

    what manual steps did you take?



  • 17.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 06-06-2016 03:14 PM

    how many times did you run the configuration wizard?

    ---- Only one time on the new server after I Installing the Siteminder web agent.

    what manual steps did you take?

    ---- After providing the all necessary details in the configuration wizard. I made some permission changes on the folders for accessing log location and SmHost.conf locations.

     

    These are series of messages that I am getting from the Event viewer:

     

     

    Error 6/6/2016 1:49:41 PM IIS-W3SVC-WP 2280 None (

     

    The Module DLL D:\CA\SiteMinder\webagent\win32\bin\IIS7WebAgent.dll failed to load.  The data is the error.

    )

    Information 6/6/2016 1:47:56 PM SiteMinder Agent 12 None (

     

    SiteMinder agent is running.

    )

    Information 6/6/2016 1:47:50 PM SiteMinder Agent 24 None (

     

    Configuration file path:

     

    'D:\CA\SiteMinder\webagent\win64\bin\IIS\WebAgent.conf'

    )

    Information 6/6/2016 1:47:50 PM SiteMinder Agent 9 None (

     

    SiteMinder agent is enabled.

    )

    Information 6/6/2016 1:47:50 PM SiteMinder Agent 36 None (

     

    Registry Entry requestpriority value:

     

    '0 (FIRST)'.

    )



  • 18.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5

    Posted 06-06-2016 03:20 PM

    that is a decidedly different error.

    add web agent error and trace log lines to your web agent.conf

     

    if you get logs you are loading the web agent.conf right.

    otherwise you need to look into the ability to read that.

     

    also, I would expect ca to want a case at this point as if it's not a read issue then you might need to do more detailed troubleshooting.



  • 19.  Re: Siteminder web agent is unable to intercept Traffic on IIS 7.5
    Best Answer

    Posted 06-20-2016 12:04 PM

    Hello All,

    I opened a ticket with CA to troubleshoot the error 500.19 that we are getting  After we installed and configured Siteminder web agent of IIS on the windows 2008 R2 server.

    On this windows server we are having two websites under the IIS Manager (Default Website, Application related web site). So each website having its own web.config file. During the configuration of web agent I configured on both the websites and the Siteminder DLL files get placed on Both the web.config files. I am having my application set up on (Application related website under IIS Manger). When I tried to hit the Application for some reason Siteminder web agent is starting consuming both web.config files of both websites and returning error 500.19 (Cannot add a duplicate entry). In order to resolve this error we unconfigure the Siteminder web agent on Default website, So the Siteminder web agent is reading the Siteminder DLL from the web.config from the Application related website. So it resolved the issue.

     

    Even though you configured the Siteminder web agent on IIS for both websites (default, App related website) there is a two lines of code that need to be placed on under the App related website web.config file, So that it doesn't inherit the properties from its parent.

     

    we have to additionally disable the web configuration inheritance
    by adding following two lines :

     

    <location path="."
    inheritInChildApplications="false">

    <system.webServer>

    </system.webServer>

    </location>

    These configuration needs to be placed on the top of <system.webserver></system.webserver> So that it don't inherit the properties from the Parent.

     

    Thank you for all your responses on this issue.