The ProxySG will switch between LDAP servers if it determines the primary LDAP server is down. An LDAP server is considered down if the proxy cannot connect to it, or if a request to the primary LDAP server times out.  The default timeout for an LDAP request is 60 seconds.  The LDAP timeout can be controlled within the LDAP authentication realm configuration. Making the LDAP timeout too short may cause requests to unnecessarily fail.

The amount of time it takes the proxy to determine if the LDAP server has failed depends on the nature of the failure. For example, if the host machine crashes, when the ProxySG attempts to connect it will have to wait for the TCP/IP backoff algorithm to complete before it gives up the connection request. This is approximately 120 seconds. On the other hand if the machine is up but the LDAP server is not running, the connection fails immediately.  Therefore the time range is generally between immediate and 180 seconds, but 120 seconds is likely.