Very frequent handshake errors

PROBLEM:

[24389/145951][Wed Dec 02 2009 14:31:49][CServer.cpp:1392][ERROR] Bad security handshake attempt. Handshake error: 3152

[24389/145951][Wed Dec 02 2009 14:31:49][CServer.cpp:1399][ERROR] Handshake error: Failed to receive client hello. Socket error 131
[24389/145951][Wed Dec 02 2009 14:31:49][CServer.cpp:1487][ERROR] Failed handshake with 10.10.28.33:56037
[24389/146023][Wed Dec 02 2009 14:31:49][CServer.cpp:1392][ERROR] Bad security handshake attempt. Handshake error: 3152
[24389/146023][Wed Dec 02 2009 14:31:49][CServer.cpp:1399][ERROR] Handshake error: Failed to receive client hello. Socket error 131
[24389/146023][Wed Dec 02 2009 14:31:49][CServer.cpp:1487][ERROR] Failed handshake with 10.10.28.33:56038

Solution:

Here are some parameters you need to check in order to reduce or eliminate the error messages:

* If there is significant network latency or potentially Policy Server overload, you may be hitting the Web Agent "RequestTimeout" limit (set in the HCO or SmHost or both depending if the webagent is starting up and is getting connected to Policy Server mentioned in smHost or if webagent already has the Policy Server details from smHost but is now connecting to Policy Server mentioned in HCO). This is 60 seconds by default, and the if the Policy Server takes longer than this (combined with latency) then an Agent will reset the connection and try again. However, this means that users would be waiting a full 60 seconds for a response.

* The Web Agent command "AgentWaitTime" (set in 'WebAgent.conf') may allow you to overcome network latency problems during Agent startup. A description of the usage of this parameter follows: AgentWaitTime: Specifies the number of seconds that the Web Agent waits for the Lowlevel Agent Worker process (LLAWP) to become available. When the interval expires the Web Agent tries to connect to the Policy Server. Setting this parameter may help resolve agent start-up errors related to LLAWP connections. We recommend starting with the default value and then increasing the interval by five seconds at a time until the agent starts successfully. (Default: 5 seconds, Upper Limit: 45 seconds) 'AgentWaitTime' would be used whenever the Web Agent is making new connections to the Policy Server. If you have a rather high 'MaxSocketsPerPort' setting (e.g. 60 connections) in the HCO, the issue may occur frequently in your environment during runtime as well as startup. Example: If you have primary and secondary policy servers, use a value between 30 and 40. So I'd recommend trying '30' (just restart the web server after making the change). You can simply add "AgentWaitTime=30" in your 'WebAgent.conf' file, and you should see this take effect upon startup in the Web Agent error log (when it lists out all parameters).

* Are you running Apache in Prefork or Worker mode (thread model)? You can tell by running "httpd -V" (capital 'V'). If in Prefork, each incoming request would require its own Apache process, and the Agent would need to make a set of connections for every process as well. Apache Prefork mode limits the Agent to one thread per process, and has serious implications for efficiency (increased Agent to Policy Server connections, etc.).