Error: Sm_AgentApi_IsProtectedEx' returned '-1 in SPS
search cancel

Error: Sm_AgentApi_IsProtectedEx' returned '-1 in SPS


Article ID: 263216


Updated On:


SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)



When running CA Access Gateway (SPS), this one returns error:

    LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_IsProtectedEx' returned '-1'

Each CA Access Gateway (SPS) server experiences this issue once a month.

The CA Access Gateway (SPS) becomes unresponsive when the issue happens. A restart is needed to recover the service.




6 CA Access Gateway (SPS) 12.8SP4 on Windows 2016;
4 Policy Server on Windows 2016;




The problem is that the CA Access Gateway (SPS) Agent lost connection with the Policy Servers. The Policy Servers are seen as down, which seems to be caused by a Policy Server restart, an intermittent problem on the network, or the Firewall.

The CA Access Gateway (SPS) requests the first Policy Server listed in the HCO list until this one becomes unreachable (down). Then it moves to the next one (failover). And it does like that until reaching the end of the list (the last one being, and at that stage, it reports

  The Server is not responding and may be down. Not retrying connection.
  The number of active servers fell below the threshold.

There's a known issue about this failover behavior fixed in CA Access Gateway (SPS) 12.8SP5 DE477951 (1).

This fixes the problem where the CA Access Gateway (SPS) Agent doesn't check the previous Policy Server marked as down, to see if they get back online and UP and Running.

So it ends up with no Policy Server available until the CA Access Gateway (SPS) gets restarted.

The above fix concerns both Failover and Loadbalancing HCO configuration.

The HCO concerns with using the connections for the request to the Policy Server. For the performance consideration, this is a better idea to have each of the 6 SPS Agents request the most available Policy Server, and thus, the HCO EnableFailover should be set to no.

And to fix the above issue, CA Access Gateway (SPS) should be upgraded to at least 12.8SP5.

The Agentwaittime set to 120 is a good idea, and according to the following KD, its optimal value should be 130 [(4*30)+10=130] (2).

This affects only the connection the Agent builds with the Policy Server when a new connection is needed.




  • Upgrade SPS to at least 12.8SP5.
  • Set Agentwaittime to 130 in the WebAgent.conf of each of the CA Access Gateway (SPS).
  • Set all the CA Access Gateway (SPS) HCO EnableFailover to No for load balancing and to make the CA Access Gateway (SPS) request go to the faster Policy Server.


Additional Information



    Defects Fixed in 12.8.05


    AgentWaitTime parameter Explained in webagent.conf