ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Incorrect load balancing between the two CA Policy Servers

book

Article ID: 186782

calendar_today

Updated On:

Products

CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder)

Issue/Introduction

We are currently experiencing an anomaly in the load balancing of authentication requests between the two CA Policy Servers in the Production environment.
Our infrastructure is composed as follows:

 - 2 CA Policy Server

 - 1 CA AdminUI

 - 2 CA Access Gateway

 - CA Web Agent (used in agent-based interactions)

In general we have noticed that in the smaccess.log of Policy Server 1 more occurrences of AuthAccept, AuthReject and AuthAttempt are tracked than in Policy Server 2. We confirm that during the configuration phase, both for CA Access Gateway and CA Web Agent, the Host Configuration Objects has been configured as follows:

Policy Servers: <policy_server1><Accounting Port><Authentication Port><Authorization Port>.

   <policy_server2><Accounting Port><Authentication Port><Authorization Port>

Enable Failover: NO

Maximum Sockets Per Port: 20

Minimum Sockets Per Port: 2

New Socket Step: 2

Request Timeout: 60

For example, Policy Server 1 traced 6905 occurrences of AuthAccept in a week's trace and CA Policy Server 2 traced 836 occurrences.

After this premise, what is causing an incorrect load balance between the two Policy Servers?

Is it necessary to configure additional parameters to ensure a correct load distribution between the two CA Policy Servers?

Environment

Release : 12.8

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

Ideally if the Failover is NO that means it is round robin. The request sequentially  will go the list of  Policy servers,

However, if  a Policy Server is not responding with in time it will reach the next Policy Server , because  the request can not stop at that PS and fail,

So there would be dependency on the network response as well,