When running CA Access Gateway (SPS), this one returns error:
LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_IsProtectedEx' returned '-1'
Each CA Access Gateway (SPS) server experiences this issue once a month.
The CA Access Gateway (SPS) becomes unresponsive when the issue happens. A restart is needed to recover the service.
6 CA Access Gateway (SPS) 12.8SP4 on Windows 2016;
4 Policy Server on Windows 2016;
The problem is that the CA Access Gateway (SPS) Agent lost connection with the Policy Servers. The Policy Servers are seen as down, which seems to be caused by a Policy Server restart, an intermittent problem on the network, or the Firewall.
The CA Access Gateway (SPS) requests the first Policy Server listed in the HCO list until this one becomes unreachable (down). Then it moves to the next one (failover). And it does like that until reaching the end of the list (the last one being 10.0.0.4), and at that stage, it reports
The Server 10.0.0.4 is not responding and may be down. Not retrying connection.
The number of active servers fell below the threshold.
There's a known issue about this failover behavior fixed in CA Access Gateway (SPS) 12.8SP5 DE477951 (1).
This fixes the problem where the CA Access Gateway (SPS) Agent doesn't check the previous Policy Server marked as down, to see if they get back online and UP and Running.
So it ends up with no Policy Server available until the CA Access Gateway (SPS) gets restarted.
The above fix concerns both Failover and Loadbalancing HCO configuration.
The HCO concerns with using the connections for the request to the Policy Server. For the performance consideration, this is a better idea to have each of the 6 SPS Agents request the most available Policy Server, and thus, the HCO EnableFailover should be set to no.
And to fix the above issue, CA Access Gateway (SPS) should be upgraded to at least 12.8SP5.
The Agentwaittime set to 120 is a good idea, and according to the following KD, its optimal value should be 130 [(4*30)+10=130] (2).
This affects only the connection the Agent builds with the Policy Server when a new connection is needed.