000015693 - Access Manager server is slow and aserver log has 'unable to send data to receiver' messages.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000015693
Applies ToRSA Access Manager 6.0
RSA ClearTrust 5.5.3
None
IssueAccess Manager server is slow and aserver log has "unable to send data to receiver" messages.

aserver.log shows a large number of the following error messages:

messageID=-2,internal_error,description='Unable to send data to receiver.',details='java.io.IOException: Unable to send data to receiver.'


Customers report intermittent slow performance and long times to authenticate or authorize.
The unable to send data to receiver message simply implies that the agents have exceeded the 15 second response time and have failed over to an alternate aserver.  This suggest that the aservers response time is very poor.   The most critical component of aserver performance is the response time from the datastore.  The most likely reason for poor aserver response times is a slow LDAP server.

LDAP profile shows large queries of this type to the policy repository

ou=ctscPolicyRepository, dc=rsasecurity, dc=com
Filter:
( & (objectClass=ctscEntitlement) (member=cn=user1,dc=rsasecurity, dc=com ) ( | (cn=12420) (cn=12418) (cn=40416) (cn=12414) (cn=12412).....{many more....}

Resolution

Check the processor usage on the LDAP server to ensure that it is not CPU limited.  Run profiling tool on the LDAP server to identify any queries that may be causing the LDAP server to have a high CPU usage.  If the LDAP server is overloaded identify and correct the cause of the slow performance.  If RSA Access Manager is causing the slowdown review the type of entitlements that are being used.

Group Based entitlements are not very efficient and may result in queries being run on the LDAP server that are very processor intensive.  Group based entitlements are not indefinitely scalable, and may not be practicable for all installations.  If performance is not satisfactory the following solutions must be considered.

  • Use smart rule based entitlements which are more efficient and scale linearly.
  • Avoid user groups that have a large number of users in them.
  • Avoid user groups that are heavily nested
  • Avoid entitlements with a large number of user groups associated with them.  Consolidate multiple groups that have entitlements to the same resources into a smaller number of larger groups.
NotesSee solution RSA ClearTrust Authorization Server shows a large number of 'Unable to send data to receiver' errors
Legacy Article IDa52746

Attachments

    Outcomes