Symantec Access Management

  • Private Community
 View Only

  • 1.  web agent not getting headers when enabled with IBM HTTP server

    Posted Dec 16, 2015 03:49 PM

    I have a web agent installed in Windows with an IBM HTTP server.

     

    When I turn on the web agent, the web agent log file fills with:

    sm-httpagent-0020 Unable to resolve server host name.  Exiting with http 500 server error

    sm-agentFramework-00480 HLA: Missing resource data.

     

    I have checked if the DNS resolution for the expected traffic is working, and it is.

    I have checked if there are load testers in the envrionment, and there are none.

    I have validated the BadURLChars, and aligned the config with a QA environment where the configuration is working.

    I have my ACO - AgentName filtering on both IP and FQDN.

    I have checked with Fiddler if there are headers there when the web agent is not active, and there are headers showing in Fiddler.

     

    Does anyone have any idea what might be blocking the headers?

     

    Thank you very much.

     

    Cheers.



  • 2.  Re: web agent not getting headers when enabled with IBM HTTP server

    Posted Dec 17, 2015 09:22 AM

    So when you try to access the protcted application , it doesnot work and give 500 error?


    Or does it work, but you are just concerned about these errors in the log?



  • 3.  Re: web agent not getting headers when enabled with IBM HTTP server

    Posted Dec 17, 2015 09:43 AM

    HI,

     

    When we try to get at the protected application the browser spins for 5+ minutes.  Eventually we surrender, I think a 500 error comes up if i recall correctly.

     

    It is impacting both protected sites and non-protected sites.



  • 4.  Re: web agent not getting headers when enabled with IBM HTTP server

    Posted Dec 17, 2015 09:44 AM

    We will need fiddler to understand what's going on..,



  • 5.  Re: web agent not getting headers when enabled with IBM HTTP server

    Posted Dec 18, 2015 10:29 AM

    Ujwol,

     

    that may not help.

     

    Windows has a much  more complex look up system than unix

     

    unix is essentially local (/etc/hosts)  then your set server, if any

    windows goes through those and a few other hoops.

    the other hoops can cause issues.

     

    you can turn them off, as we did when we found we needed to where i am now, but we had to have MS walk us through this. I cant find any docs on it. Sadly i was not on the call.

    I remember hearing afterwords that those who were found the extra things (WINS, etc) to be unnecessarily difficult to turn off.

     

    Doug, As you have the Agent Name mapped in two way (agentName,IP and agentName,FQDN) you might be able to do our initial fix: disableDNSLookup=yes

    (we then added a default agent and host name)

     

    i would test with a default agent name, host name and dns disabled.

    if that works then the issue is the  same as ours. we found that the extra items cause the lookup time to average 90 seconds and often breach 120, with the longest being about 1300 seconds (yeah... that's gonna break anything)

     

    -Josh



  • 6.  Re: web agent not getting headers when enabled with IBM HTTP server

    Posted Dec 24, 2015 04:33 PM

    Definitely sounds like DNS lookup is blocked. Use disablednslookup=yes as suggested above. Agentname/defaultagentname are completely separate issues; pick whatever values you want as long as it/they are defined on the policy server. Btw, fiddler can show you traffic to/from the browser (which includes headers like user agent and cookies), but it can't show you headers coming from the policy server to the web agent (e.g., HTTP_***, SM_USER, etc.).