search cancel

Round Robin load balancing causes unexpected behavior with Encryption Management Server


Article ID: 162371


Updated On:


Encryption Management Server Gateway Email Encryption Desktop Email Encryption Drive Encryption Endpoint Encryption File Share Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK


Clients connect to clustered Encryption Management Servers using round robin load balancing and one or more of the following issues are observed:

  • Delays in replication.
  • Some user keys change from SKM mode to GKM mode.
  • Incorrect WDRTs (Whole Disk Recovery Tokens) are returned from the server.  


Do not use round robin load balancing with Encryption Management Server as there is no logic as to which client will connect to what server.  

This applies to both round robin using DNS and to round robin using a load balancer.

For more information on how to ensure high availability see the following article:
156803 - Using DNS Round Robin and Load Balancers and Reverse Proxies with Encryption Management Server


Generally speaking, when using Load Balancing with multiple Symantec Encryption Management Servers (SEMS), Symantec recommends having all traffic resolve to only one server and ensure the "sticky bit\persistent sessions" is configured so that connections do not move to another server midstream.

Having only one server will ensure all data is available at all times and will not have any delays with replication.