search cancel

Incorrect load balancing between the two CA Policy Servers


Article ID: 186782


Updated On:


CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder)


We are currently experiencing an anomaly in the load balancing of authentication requests between the two CA Policy Servers in the Production environment.
Our infrastructure is composed as follows:

 - 2 CA Policy Server

 - 1 CA AdminUI

 - 2 CA Access Gateway

 - CA Web Agent (used in agent-based interactions)

In general we have noticed that in the smaccess.log of Policy Server 1 more occurrences of AuthAccept, AuthReject and AuthAttempt are tracked than in Policy Server 2. We confirm that during the configuration phase, both for CA Access Gateway and CA Web Agent, the Host Configuration Objects has been configured as follows:

Policy Servers: <policy_server1><Accounting Port><Authentication Port><Authorization Port>.

   <policy_server2><Accounting Port><Authentication Port><Authorization Port>

Enable Failover: NO

Maximum Sockets Per Port: 20

Minimum Sockets Per Port: 2

New Socket Step: 2

Request Timeout: 60

For example, Policy Server 1 traced 6905 occurrences of AuthAccept in a week's trace and CA Policy Server 2 traced 836 occurrences.

After this premise, what is causing an incorrect load balance between the two Policy Servers?

Is it necessary to configure additional parameters to ensure a correct load distribution between the two CA Policy Servers?


Release : 12.8



Ideally if the Failover is NO that means it is round robin. The request sequentially  will go the list of  Policy servers,

However, if  a Policy Server is not responding with in time it will reach the next Policy Server , because  the request can not stop at that PS and fail,

So there would be dependency on the network response as well,