Using the Single Sign-On Statistics in the TSR

The Tech Support Report (TSR) includes a rich set of SSO performance and error statistics. These can be used to gauge how well SSO is performing in your installation.

To view the Tech Support Report

1. Navigate to the Device > Diagnostics > Tech Support Report page.
2. Click Download Tech Support Report.
3. Search for the title, SSO operation statistics.
4. Download and open the report.

Here are the counters to look at in particular:

• Under SSO ring buffer statistics, look at Ring buffer overflows and Maximum time spent on ring. If the latter approaches or exceeds the polling rate, or if any ring buffer overflows are shown, then requests are not being sent to the agent quickly enough. Also, if the Current requests waiting on ring is constantly increasing, that would indicate the same. This means that the Maximum requests to send at a time value should be increased to send requests faster. However, that increases the load on the agent, and if the agent cannot handle the additional load, then problems result, in which case it might be necessary to consider moving the agent to a more powerful PC or adding additional agents.
• Under SSO operation statistics, look at Failed user id attempts with time outs and Failed user id attempts with other errors. These should be zero or close to it – significant failures shown here indicate a problem with the agent, possibly because it cannot keep up with the number of user authentications being attempted.
• Also under SSO operation statistics, look at the Total users polled in periodic polling, User polling failures with time outs, and User polling failures with other errors. Seeing some timeouts and errors here is acceptable and probably to be expected, and occasional polling failures do not cause problems. However, the error rate should be low (an error rate of about 0.1% or less should be acceptable). Again, a high failure rate here would indicate a problem with the agent, as above.
• Under SSO agent statistics, look at the Avg user ID request time and Avg poll per-user resp time. These should be in the region of a few seconds or less – something longer indicates possible problems on the network. Note, however, that errors caused by attempting to authenticate traffic from non-Windows PCs through SSO (which can take a significantly long time) can skew the Avg user ID request time value, so if this is high but Avg poll per-user resp time looks correct, that would indicate the agent is probably experiencing large numbers of errors, likely due to attempting to authenticate non-Windows devices.
• If using multiple agents, then also under SSO agent statistics look at the error and timeout rates reported for the different agents, and also their response times. Significant differences between agents could indicate a problem specific to one agent that could be addressed by upgrading or changing settings for that agent in particular.
• Traffic from devices other than PCs can trigger SSO identification attempts and that can cause errors and/or timeouts to get reported in these statistics. This can be avoided by configuring an address object group with the IP addresses of such devices, and doing one or both of the following:
  • If using Content Filtering, select that address object with the Bypass the Single Sign On process for traffic from setting on the Enforcement tab of the SSO configuration dialog.
  • If access rules are set to allow only authenticated users, set separate rules for that address object with Users Allowed set to All.

  To identify the IP addresses concerned, look in the TSR and search for IP addresses held from SSO attempts. This lists SSO failures in the preceding period set by the Hold time after failure setting.

  If any of the listed IP addresses are for are Mac/Linux PCs, see Accommodating Mac and Linux Users.

  To limit the rate of errors due to this situation, you can also extend the Hold time after failure setting on the Users tab.