Round Robin load balancing causes unexpected behavior with Encryption Management Server

book

Article ID: 162371

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption Encryption Management Server Powered by PGP Technology Gateway Email Encryption Powered by PGP Technology

Issue/Introduction

Clients connect to clustered Encryption Management Servers using round robin load balancing and one or more of the following issues are observed:

  • Delays in replication.
  • Some user keys change from SKM mode to GKM mode.
  • Incorrect WDRTs (Whole Disk Recovery Tokens) are returned from the server.  

Resolution

Do not use round robin load balancing with Encryption Management Server as there is no logic as to which client will connect to what server.  

This applies to both round robin using DNS and to round robin using a load balancer.

For more information on how to ensure high availability please see article 156803.

Generally speaking, when using Load Balancing with multiple Symantec Encryption Management Servers (SEMS), Symantec recommends having all traffic resolve to only one server and ensure the "sticky bit\persistent sessions" is configured so that connections do not move to another server midstream.

Having only one server will ensure all data is available at all times and will not have any delays with replication.