When accessing to WebAgent by multi threads, Policy Server output HandShake errors.

Document ID : KB000006640
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

When increasing 'StartServers' value and accessing to WebAgent by multi threads, WebAgent send RST packets to Policy Server and Policy Server output HandShake errors. 

[4844/4968][Thu Apr 06 2017 17:52:26][CServer.cpp:1974][ERROR][sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3152 [4844/4968][Thu Apr 06 2017 17:52:26][CServer.cpp:1981][ERROR][sm-Tunnel-00030] Handshake error: Failed to receive client hello. Socket error 0 [4844/4968][Thu Apr 06 2017 17:52:26][CServer.cpp:2147][ERROR][sm-Server-01070] Failed handshake with 10.131.xxx.xxx:57654

Cause:

This problem is related to karnel side, not CA SSO.

In using Apache 'prefork' mode, when too many process are created (e.g increasing httpd.conf value regarding to the number of process, and accessing by many threads...etc), so many orphans child processes are likely to be existing.

Under this situation, there is some possibilities that these processes are reset immediately and warning is printed, by exceeding 'tcp_max_orphans' value at karnel side.

Resolution:

Change MPM mode and work as 'worker' mode, not 'prefork'.

Additional Information: