ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

[PAM] How does PAM internal VIP Load Balancer distribute load


Article ID: 209626


Updated On:


CA Privileged Access Manager (PAM)


When PAM Cluster is formed with more than 1 node in a Site you need to specify a VIP address.

Once the Cluster is turned on, you can access VIP and get redirected to a Cluster member node.

But how does VIP know which member node has the least workload?


Release : ALL



VIP is hosted by the Site Leader.
So in fact the request is handled by the Site Leader.

The Site Leader checks with Cluster Members to determine who has the least workload.
The workload is determined by the number of "xcd_spfd" processes. Least number of "xcd_spfd" processes means least workload so the connection will be redirected to that node.


"xcd_spfd" process is the one listening on port 443.

# netstat -anp |grep :443
tcp        0      0   *               LISTEN      3334/xcd_spfd


"xcd_spfd" creates child process to handle each new connection.

These new connections would be coming from:

1. PAM User login (long term connection as the user may stay logged on for a while)
2. Cluster communication (short term connections)
3. A2A requests (short term connections)
4. REST API calls and etc. (short term connections)