000025051 - RSA Access Manager - CT_SOCKET_ERROR and CT_SERVER_TIMED_OUT_ERROR logs in ctagent.log file

Document created by RSA Customer Support Employee on Aug 1, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000025051
Applies ToRSA Product Set: ClearTrust/Access Manager Web Agents
RSA Version/Condition: Through All 5.0 versions
IssueCT_SOCKET_ERRORS in ctagent.log file.

The following error shows in the ctagent.log file.

Feb 24, 2007 06:48:50 PM MST - [12] - <Critical> - server#1, CT_SOCKET_ERROR


The following error shows in the ctagent.log file.

01, 2007 08:00:40 AM MST - [12] - <Critical> - server#1, CT_SERVER_TIMED_OUT_ERROR

The CT_SOCKET_ERROR indicates that the TCP/IP connection between the agent and the aserver has been dropped. If this error occurs during periods where the agent is idle, it typically is the result of a firewall dropping the idle connection. This error will also occur in any situation where the network connection is disrupted. 

The CT_SERVER_TIMED_OUT_ERROR indicates that the aserver did not respond within the timeout limit (default 15 seconds). This error can also occur if the TCP/IP socket is dropped. It may also occur if the socket connection is live, but the aserver is unresponsive due to load.

The ClearTrust Agent maintains a list of all aservers sorted by location class and established connections to each of these aservers. If the agent is in STANDARD mode, or is using location classes, only a few of these aserver connections may be actively used.  The remaining connections are usually idle. If there is a firewall between the agent and the aserver these idle connections may be blocked by the firewall (typically after 1 hour).   Attempts to use these idle connections will result in CT_SOCKET_ERRORS. The agent also attempts to validate these connections during the a pool refresh event (again typically set to 1 hour). This can also cause extra error messages  every hour.

The dropped sockets does not usually cause a problem because the agent will open new connections for any that are invalidated by the firewall, but it will cause CT_SOCKET_ERRORs to be written to the log file. For the most part the CT_SOCKET_ERRORs can be ignored, especially if they occur at a regular (1 hour) frequency. When a primary aserver fails and the agent fails over to a new location class or a secondary aserver in STANDARD mode, there may be a short delay in processing request due to the time it takes the agent to determine the socket is invalid and opens a new connection.


In order to reduce the number of CT_SOCKET_ERRORS in the agent log file you may

1. Decrease the cleartrust.agent.auth_server_pool_refresh interval to a period slightly less than the firewalls idle timeout value. This will prevent the sockets from being dropped by the firewall between pool refresh events.

2. Set the cleartrust.agent.max_open_connections value to the number of active connections in your aserver pool. This will prevent the agent from maintaining idle connections to fail-over aservers. Instead connections will be created only on demand.

WorkaroundThe ClearTrust agent was upgraded to a hotfix later than In hotfix additional logging was added that may increase the frequency of CT_SERVER_TIMED_OUT messages in the log file.
NotesFor more information see solution RSA ClearTrust Authentication servers stop responding to requests after a period of Agent inactivity
Legacy Article IDa33720