[PAM] How does PAM internal VIP Load Balancer distribute load

book

Article ID: 209626

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When PAM Cluster is formed with more than 1 node in a Site you need to specify a VIP address.

Once the Cluster is turned on, you can access VIP and get redirected to a Cluster member node.

But how does VIP know which member node has the least workload?

Environment

Release : ALL

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

VIP is hosted by the Site Leader.
So in fact the request is handled by the Site Leader.

The Site Leader checks with Cluster Members to determine who has the least workload.
The workload is determined by the number of "xcd_spfd" processes. Least number of "xcd_spfd" processes means least workload so the connection will be redirected to that node.

 

"xcd_spfd" process is the one listening on port 443.

# netstat -anp |grep :443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3334/xcd_spfd

 

"xcd_spfd" creates child process to handle each new connection.

These new connections would be coming from:

1. PAM User login (long term connection as the user may stay logged on for a while)
2. Cluster communication (short term connections)
3. A2A requests (short term connections)
4. REST API calls and etc. (short term connections)