Symantec Access Management

Hi Team,

We are seeing the following errors frequently in the smps.log and smtracedefault.log. Can you please help us on this?

smps.log

[18778/4095994736][Thu Mar 15 2018 02:08:44][CServer.cpp:2006][ERROR][sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3159
[18778/4095994736][Thu Mar 15 2018 02:08:44][CServer.cpp:2011][ERROR][sm-Tunnel-00020] Handshake error: Failed to receive client hello. Client disconnected
[18778/4095994736][Thu Mar 15 2018 02:08:44][CServer.cpp:2178][ERROR][sm-Server-01070] Failed handshake with ::ffff:10.47.194.102:51286

smtracedefault.log

[03/15/2018][02:09:01.555][02:09:01][18778][4085504880][CServer.cpp:2006][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3159]
[03/15/2018][02:09:01.555][02:09:01][18778][4085504880][CServer.cpp:2011][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Tunnel-00020] Handshake error: Failed to receive client hello. Client disconnected]
[03/15/2018][02:09:01.555][02:09:01][18778][4085504880][CServer.cpp:2178][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Server-01070] Failed handshake with ::ffff:10.47.194.102:21080]
[03/15/2018][02:09:01.555][02:09:01][18778][4085504880][CServer.cpp:2184][CAgentMessageHandler::DoWork][][][][][][][][][][][][][][][::ffff:10.47.194.102][21080][][][][][Handshake error with trusted host  with IP ::ffff:10.47.194.102 on Port No 21080]
[03/15/2018][02:09:01.555][02:09:01][18778][4085504880][CServer.cpp:3098][CAgentMessageHandler::HandleClose][][][][][][][][][][][][][][][::ffff:10.47.194.102][21080][][][][][Ending client session #2243342]
[03/15/2018][02:09:02.310][02:09:02][18778][3991096176][CServer.cpp:3216][CAgentAcceptHandler::HandleInput][][][][][][][][][][][][][][][][][][][][][Received connection request]
[03/15/2018][02:09:02.311][02:09:02][18778][3991096176][CServer.cpp:1859][CAgentMessageHandler::HandleInput][][][][][][][][][][][][][][][::ffff:10.47.194.101][47033][][][][][Enqueuing a High Priority Message, from IP ::ffff:10.47.194.101 with Port No 47033. Current count is 1]
[03/15/2018][02:09:02.311][02:09:02][18778][4085504880][CServer.cpp:1423][ThreadPool::Run][][][][][][][][][][][][][][][::ffff:10.47.194.101][47033][][][][][Dequeuing a High Priority message, from IP ::ffff:10.47.194.101 with Port No 47033. Current count is 0]
[03/15/2018][02:09:02.311][02:09:02][18778][4085504880][CServer.cpp:2116][CAgentMessageHandler::DoWork][][][][][][][][][][][][][][][::ffff:10.47.194.101][47033][][][][][New connection attempt from client host]

Thanks!

Hi Sriraman,

Bad security handshake attempt. Handshake error: 3159 - Client Disconnect - Socket was closed before receiving client hello.

https://comm.support.ca.com/kb/what-are-the-possible-handshake-errors-in-policy-server/kb000042071

Do you have any network issue at this time?

Any monitoring tool polling to check the health of Policy Server ? 

Regards,

Leo Joseph.

Hi Leo Joseph,

I am also facing the same issue, i checked one application monitor was installed to check the policy server and the error is also with this i believe. SM policy server trying to connect with the Application monitor which in-turn is not receiving the response, Please help me to resolve the issue.

Regards

Naga

Hi Patrick,

Thanks for your response. We have two policy servers at our end and we set the AgentWaitTime to 70 seconds.

We have also restarted the LLAWP process after the changes. Still we are facing the issue.

Thanks!

Hi Srirampv85,

Insure that you have put the value of Agentwaittime with double quotes. If it wasn't set like that, put the value with double quotes, and restart the Web Agent.

Sample : 

In WebAgent.conf

AgentWaitTime="75"

Best Regards,

Patrick

You must re-register the trusted host.

The handshake errors might occur for one of the following reasons:

• Different UNIX platforms use different mechanisms to encrypt and decrypt the shared secret key. As a result, CA SSO agent may not be able to decrypt the shared secret that is generated on one UNIX system when moved to the other UNIX system.
• If the Host ID of agent changes because of the change in IP address, host name, or change in the mac address, the agent cannot decrypt the shared secret which was originally generated on the same system.