000023587 - Additional connections are seen between the agent and aserver.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000023587
IssueAdditional connections are seen between the agent and aserver.
The agent appears to be establishing twice as many connections to the aserver as required.
Connections to the aserver are being blocked by a firewall.

The ctagent.log file shows a large number of CT_SERVER_TIMED_OUT messages occurring at an interval equivalent to the cleartrust.agent.auth_server_pool_refresh value.

Mar 23, 2005 08:12:47 PM EST - [2944] - <Critical> - Critical error: CT_SERVER_TIMED_OUT


In a typical deployment only the  "cleartrust.agent.dispatcher_list" parameter needs to be set.  The  "cleartrust.agent.auth_server_list" parameter should not be set at the same time.  The agent will get a full list of available aservers from the dispatcher. 

If the auth_server_list is populated in addition to the dispatcher list the connection pool will be established with additional connections to the duplicate aservers.  This can cause unpredictable load balancing behaviour in DISTRIBUTED mode. 

If the agent is in STANDARD mode the additional aservers connections will typically be idle and are usually disabled by the firewall idle timeout rule between the aserver.  The CT_SERVER_TIMED_OUT messages are the result of the agent attempting to update the connection pool on the duplicate set of aservers.  If these are duplicate connections, by definition they will be idle connections and will have been disabled by the firewall.  If a firewal lis in place refer to solutions a14661 a28615

ResolutionThe auth_server_list should only be populated if an explicit list of aservers is desired either in place of those obtainable by the dispatcher.  (For example for a failover location class)
See solution RSA Cleartrust Agent 4.6 reports twice the numbers of authservers connected as there are physical servers
WorkaroundCustomer is setting both the "cleartrust.agent.dispatcher_list" parameter and the  "cleartrust.agent.auth_server_list" parameter.
Legacy Article IDa34566