NetIQ Access Gateway stops accepting new client connections

  • Document ID:7010977
  • Creation Date:22-Oct-2012
  • Modified Date:12-Aug-2014
    • Micro Focus Products:
      Access Manager (NAM)

Environment

NetIQ Access Manager 4.0

NetIQ Access Manager 3.2
NetIQ Access Manager Access Gateway 3.2 on Linux

Novell Access Manager 3.1.4
Novell Access Manager Access Gateway 3.1.4 on Linux

Situation

  • Access Gateway does not accept any client new client connections

  • Access Gateway error log reports:
    [error] server is within MinSpareThreads of MaxClients, consider raising the MaxClients setting [error] server reached MaxClients setting, consider raising the MaxClients setting

  • using "netstat -patne" shows only a low number of used TCP connections with the proxy service (e.g.: "9" connections were in progress).

  • CPU runs into high utilization

Resolution

  • configure the lcache service to make use to always use the cache file
    edit the logeventfile and make sure the following two entries have been set

    LogForceCaching=Y
    LogCacheLimitAction=roll cache

    This configuration should as well improve the performance of the system as a whole. User requests will not get delayed as the Access Gateway will not try to establish a connection itself in order to push naudit log events to the audit server. Instead events will first get cached and then the get pushed to the audit server by the lcache process in the background.

  • Due to lcache crashes it can happen that the process runs as non root user causing it to fail. In order to avoid this situation change the file mode for the lcache binary using: "chmod 4755 /opt/novell/naudit/lcache"

Cause

There are two situations which can cause this problem
  1. The naudit service on the Access Gateway could not communicate with the configured audit server due to an outage. The lcache configuration stored in the "logevent.conf" has not been configured for caching mode

  2. the lcache process crashed and restarted itself as non root user

Additional Information

The script will monitor the lcache process every 60 seconds and schedule a restart if it does not run as user root