Symantec Access Management

Hi Guys,

We have upgraded our Webagent R6.x to R12.52 version which is running on IIS. Unfortunately, its not coming up and even agent logs and trace logs are not coming up. We are using windows 2008 O.s

We are seeing below error in eventviewer logs

Unable to load SiteMinder agent configuration object.

Check that you are using the right agent configuration object and that it exists in your policy server.

SiteMinder agent has encountered initialization errors and will not service requests.

could some one help us to fix this issue, thanks

Thanks,

For the same time frame do you see any handshake error on the policy server side (smps.log), if yes, please post the exact error that you see in smps.log (few lines )

Hi Ujwol,

Thanks for your response, as we do see few handshake errors in smps.log as below :

[2800/9040][Tue Jul 19 2016 08:36:22][CServer.cpp:1948][ERROR][sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3159

[2800/9040][Tue Jul 19 2016 08:36:22][CServer.cpp:1953][ERROR][sm-Tunnel-00020] Handshake error: Failed to receive client hello. Client disconnected

[2800/9040][Tue Jul 19 2016 08:36:22][CServer.cpp:2121][ERROR][sm-Server-01070] Failed handshake with ***********

[2800/9040][Tue Jul 19 2016 08:36:22][CServer.cpp:1948][ERROR][sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3159

[2800/9040][Tue Jul 19 2016 08:36:22][CServer.cpp:1953][ERROR][sm-Tunnel-00020] Handshake error: Failed to receive client hello. Client disconnected

[2800/9040][Tue Jul 19 2016 08:36:22][CServer.cpp:2121][ERROR][sm-Server-01070] Failed handshake with *********

Please suggest further action on this. Thanks

Please try telnet to all policy server ports (44441,44442,44443) from webserve. Also capture wireshark trace and check for any communications issues between PS <--> WA.

Hi Lokesh,

The error :

    Handshake error: Failed to receive client hello. Client disconnected

means that the Web Agent doesn't continue the communication. It can connect,

but for one reason, it stops unexpectedly.

Try to add

    AgentWaitTime="90"

in the WebAgent.conf file on the Web Agent Server. Start over the IIS and

see if you still reproduce the issue.

Best Regards,

Patrick

Hi

Telnet is happening to policy server for 44441,44442,44443 as well. We have verified, we will capture wireshark logs and will see, thanks

Unable to load SiteMinder agent configuration object.

agent logs and trace logs will not come up since it is unable to load the agent configuration object.

Can you once check the permissions of webagent.conf and smhost.conf.

Hi Krishna,

Thanks for your response. Yes sufficient permissions are there for both smhost.conf and webagent.conf.

Hi Lokesh,

Try to set the parameter EnableWebAgent="No" and see if it can register the Trusted host first.

Also consider to set the AgentWaitTime if suspect any network latency.

Hi Lokesh,

Greetings for the day!

As per my knowledge the error message "Unable to load SiteMinder host configuration object or host configuration file" can occur due to either of the below issues :

• The HostConfigFile is not at the path listed in the WebAgent.conf
• The AgentConfigObject of the WebAgent.conf does not match (spelling, case, etc) an Agent Configuration Object in the policy store.
• The DefaultAgentName is unset or not agenet as defined in the policy store.
• The SMHost.conf hostname is inaccurate
• The HostConfigObject of the SMHost.conf does not match (spelling, case, etc) a Host Configuration Object
• The Host Configuration Object on the Policy Server has no uncommented PolicyServer parameter
• Error resolving DNS

Hi Lokesh,

Can you confirm below points -

1- In HCO policy server is defined as  IP address or Hostname of policy server ?

2- you register webagent with policy server using IP address or hostname of policy server?

Regards

Prashant