Article Number
000029150
Applies To
RSA Product Set: ClearTrust
RSA Product/Service Type: Web Agent IIS
RSA Version/Condition: V5.0
Platform: Windows
Platform (Other): null
O/S Version: Server 2012 R2
Product Name: RSA-0010020
Product Description: Access Manager
Issue
The dispatcher.out file (Standard output) log at the debug level shows a large number of the following exceptions:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:808)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)
at sirrus.dispatcher.AuthListRequestHandler.configureSocket(AuthListRequestHandler.java:128)
at sirrus.dispatcher.AuthListRequestHandler$ClientConnection.run(AuthListRequestHandler.java:292)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
The dispatcher.log file (or lsever.log file) shows a large number of the following logs:
sequence_number=22,remote_client=dispatcher,2014-11-19 09:24:45:00 EST,messageID=0,event_type=Error,error=javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake,description=Error handling client connection from 10.10.10.10 123/10.10.10.10:53985
If you monitor the listen threads on the dispatcher, you will see many "ClientConnection" threads in MONITOR state instead of RUNNING state.
Cause
This error message indicates that the client has abandoned the connection, likely due to a timeout. If a large number of these are logged it may mean the dispatcher is slow to response. The client timeout value is 10 seconds, clients that do not complete the SSL handshake in 10 seconds will retry.
If RSA Access Manager is configured to use the iserver and it is configured to sent traps on log level 10 events it will attempt to send a trap message to the iserver for each critical failure. If a failure occurs during the SSL handshake it generates a messageID=0 critical level message and the dispatcher will pause all other ClientConnection threads while it sends this message. If the iserver is slow to respond this may cause the other listen threads to also time out generating more failure messages.
The following dispacher.out standard output log message at the debug level shows the thread 620 being paused until the previous error on thread 619 has been processed.
20:50:05:640 [*] [ClientConnection-619] - ClientConnection: Setting the SoTimeout to (before configure socket) 30000
20:50:05:640 [*] [ClientConnection-619] - ClientConnection: SSL Handshake started....
20:50:05:640 [*] [AuthListRequestHandler] - --> AuthListRequestHandler: accepted connection from 10.10.10.10 on port 5608
20:50:05:642 [*] [ClientConnection-619] - Thread requesting stream. javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake (error occurs)
…
20:50:10:141 [*] [ClientConnection-620] - ClientConnection: Setting the SoTimeout to (before configure socket) 30000
20:50:10:141 [*] [AuthListRequestHandler] - --> AuthListRequestHandler: accepted connection from 10.10.10.10 on port 5608
20:50:10:141 [*] [ClientConnection-620] - ClientConnection: SSL Handshake started....
20:50:10:143 [*] [ClientConnection-619] - LogEventDispatcher: current log level is 20 event's log level is 10 (SNMP log message sent)
20:50:10:143 [*] [ClientConnection-620] - Thread requesting stream.javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake (error occurs)
Resolution
Disable SNMP traps or set the trap threshold to a lower level to reduce the impact on SNMP traps on the dispatcher service by setting this parameter lower:
cleartrust.dispatcher.snmp.trapqueue.maxlimit=10
