Symantec Access Management

  • Private Community
 View Only

  • 1.  Communication failure between SiteMinder policy server and web agent

    Posted Sep 18, 2015 08:20 AM

    We are experiencing WebAgent to PolicyServer communication failure. Getting below error :--

     

     

    [21148/2910828288][Tue Sep 15 2015 14:40:52][CSmAuthorizationManager.cpp:166][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Low Level Agent'.

    [21148/2910828288][Tue Sep 15 2015 14:40:52][CSmHighLevelAgent.cpp:808][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Authorization Manager'.

    [21148/2847889152][Tue Sep 15 2015 14:41:13][CSmLowLevelAgent.cpp:1378][ERROR][sm-AgentFramework-00520] LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_LoginEx' returned '-1'.

    [21148/2847889152][Tue Sep 15 2015 14:41:13][CSmAuthenticationManager.cpp:194][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Low Level Agent'.

    [21148/2847889152][Tue Sep 15 2015 14:41:13][CSmHighLevelAgent.cpp:1244][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Authentication Manager'.

    [21144/3034453760][Tue Sep 15 2015 15:31:49][CSmLowLevelAgent.cpp:546][ERROR][sm-AgentFramework-00520] LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_IsProtectedEx' returned '-2'.

     

     

    we have 6 apaches out of which this error comes on first 4 apaches which is having different subnet., whereas other two apaches have first two subnet same as policy servers.

    Also, error which comes on apaches comes after a span of say around 15 min.

     

     

    I have tried increasing agentwaittime to 120 and Request Timeout 120 ( in HCO ) , but the result remains. Login happens successfully, then it shows error as stated ealier. Below is the excerpt from webagent trace log.

     

     

    [09/18/2015][06:13:41][8604][2287888128][CSmLowLevelAgent.cpp:541][IsResourceProtected][0000000000000000000000003b61a8c0-219c-55fbe35d-885e6700-d32e49e48dbd][*192.168.97.250][][ca701_agent_fiam][/imchome/gzip_58576322/bundles/imclanguage.js][TSTCUARC2GEALLLOB][Communication failure between SiteMinder policy server and web agent.]

    [09/18/2015][06:13:41][8604][2287888128][CSmProtectionManager.cpp:193][CSmProtectionManager::DoIsProtected][0000000000000000000000003b61a8c0-219c-55fbe35d-885e6700-d32e49e48dbd][*192.168.97.250][][ca701_agent_fiam][/imchome/gzip_58576322/bundles/imclanguage.js][TSTCUARC2GEALLLOB][LowLevelAgent returned SmFailure.]

    [09/18/2015][06:13:41][8604][2287888128][CSmHighLevelAgent.cpp:420][ProcessRequest][0000000000000000000000003b61a8c0-219c-55fbe35d-885e6700-d32e49e48dbd][*192.168.97.250][][ca701_agent_fiam][/imchome/gzip_58576322/bundles/imclanguage.js][TSTCUARC2GEALLLOB][ProtectionManager returned SmNoAction or SmFailure, end new request.]

     

     

    Agent starts successfully, it's only after 10min or more that it starts giving error of 'Sm_AgentApi_AuthorizeEx' returned '-2' or 'Sm_AgentApi_IsProtectedEx' returned '-2'

     

     

    Also in webagent trace log , following error is observed : " Communication failure between SiteMinder policy server and web agent "  after which if we access the application we get 500 http error.

     

    Please advise.



  • 2.  Re: Communication failure between SiteMinder policy server and web agent

    Posted Sep 21, 2015 09:12 AM

    Ankush Ankush

     

    1. Could we know more specifics on the Apache.
      1. Is the Apache Built on PreFork OR Worker Model?
      2. Are all the Apache using the same thread Model?
      3. What are the connection parameter defined in httpd.conf for Apache e.g. MaxClients
      4. Are these Apache WebServers on different physical machine OR are they are on same physical box running as multiple instances spawned off from a single Apache installation?
      5. If there are multiple Apache instances running on the same box, Are these instances using the same SmHost.conf?
    2. Could we know more specifics on CA SSO configuration?
      1. How many Policy Server/'s?
      2. Are you using a Standard HCO Vs a Clustered HCO.
      3. Are there other WebAgent traffic hitting these Policy Server/'s? How many are we approx looking at?
      4. Try looking at outputs from "smpolicysrv -stats" and/or "smpolicysrv -publish". Run "smpolicysrv -stats" command periodically e.g. every 5 or 10mins - see the output in smps.log.
      5. Have you tried setting the AgentWaitTime parameter in WebAgent.conf; instead of HCO?

     

     

     

    Beyond the above, there are a few things we could try out. However it is all about tuning the WebAgents and Policy Servers, the key here is to understand the above first.

     

    Tryout-1 : In Smconsole , "maximum number of connections" is the the number of connections the Policy Server supports. Have we tried increasing that to 1024.

     

    Tryout-2 : Host Configuration Object. Have we tried the following. What is the MaxSocketsPerPort, is it the default 20? Try increasing that to 40.

     

    NOTE : Before each Test reset the value of previous Tryout to default. Also Test both Tryouts set.

     

     

     

    Regards

     

    Hubert