In a working system I am still seeing the following warning messages in my Web Agent Logs: "Warning: UNABLE TO PROCESS SMSESSION" what is causing them and is there a problem?

Document ID : KB000051518
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The error messages are generally part of the normal operation of Siteminder. They occur when a users request
present an SMSESSION cookie that has expired through and Idle timeout.

Solution:

These are part of the normal operation of SM6 agents, they occur when users present an SMSESSION cookie that is not current, usually because their sessions have expired.

As users access Siteminder protected resources, they are directed to log on and then get an SMSESSION cookie. However after accessing the initial resource and performing the protected task, many uses will then drift to other websites or perhaps leave their web browser active, but idle for a period of time.

When the user, after this period of "inactivity" then accesses the protected website, if they have not visited it within the a time that exceeds the IDLE timeout of the SMSESSION cookie then the SM6 SP5 webagent will record the failed timestamp with the message "Warning: UNABLE TO PROCESS SMSESSION" and re-direct the user to the authentication scheme, usually the login page.

There will therefore be a number of these warning seen in any webagent log and they are not a cause for alarm. In a webserver environment with many active users, and a short realm timeout, the warning will occur more frequently.

You can influence the number of occurrences of the warning by setting either a smaller or larger idle timeout for your protected realm, and some analysis of the number of these warnings per hour can give you some clue of how many of your users are getting caught and having to re-logon.

Note: This warning was not displayed in the SM5.x agents, and has caused concern after upgrading from SM5.X agents, to SM6.X agents.

Note: The warning is clearer in latter SM6 SP5 Agent CR releases where it now has an updated message that indicates that the SMSESSION was invalid due to a timeout

There are some other conditions under which the SMSESSION warning is given, and if you have a situation where users are unable to access the resource, and every request is receives a "Warning: UNABLE TO PROCESS SMSESSION" then you need to look for other causes, such as a timing difference in the webservers or miscommunication between the webagent and the policy server about the correct session decryption keys.