search cancel

PIM/PAMSC Effective Policy is not getting deployed on all endpoints


Article ID: 228636


Updated On:


CA Privileged Access Manager - Server Control (PAMSC)


Would like to kindly verify with you the reasons for an effective policy not getting deployed on the host.

Could this be related to the existing issue of our PAMSC environment which is having a lot of pending messages. I know every hour the agent's policyfetcher should be picking up any effective policy. The ENTM server shows the policy as pending


C:\Users\Administrator>sepmd -L DMS__
CA Privileged Access Manager Server Control sepmd v14.10.0.1119 - Policy Model management

Copyright (c) 2018 CA. All rights reserved.

Initial offset:      0

Last offset:         946311444

Subscriber                             Errors    Flag     Offset   Next command
==========                             =======   ======   =======  ============
Topic: ac_server_to_server_broadcast (DH)       0                 946311444

Message queue subscriber: Topic: ac_server_to_server_broadcast (DH)
Last update time        : Sat Nov 13 15:30:22 2021
Daily messages sent     : 1858

Subscriber name                Pending messages       Status          Last update time
===============                ================       ======          ================
[email protected]             21                     synced          Sat Nov 13 15:25:40 2021
[email protected]             29234                  synced          Wed Jun 23 15:24:20 2021
[email protected]             14                     synced          Sat Nov 13 15:25:39 2021


Release :

Component :


The reason is the DH that the endpoint is connecting to is not receiving updates from the DMS as seen by the number of pending messages. Even when the status shows synced the updated policies cannot be delivered to the DH through the ActiveMQ processes so the DH expects that there are no additional updated policies. The number of pending messages should never stay above 100. If the Active MQ process is working then the DH service will grab all messages each time it goes over 100.


Recycling the ActiveMQ service along with the seos endpoint agent services (secons -S) should  resolve this issue. If the issue reoccurs then you may need to open a support ticket to evaluate why.