Issue: 

Getting "Error 91 - Can't connect to the LDAP server" in smps.log for LDAP binds with failover servers in place.

For Example: In Data Center A we are getting the below error while trying to fail-over to Data Center B and Vice Versa.

[01/28/2015][11:30:09][3844287344][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Ldap-00350] SmObjLdapConnMgr Bind. Server Data_Center_B:20492. Error 91 - Can't connect to the LDAP server][][]

Environment:  

Policy Server: R12.52 SP1

CA Directory: R12 SP12

Cause: 

The default connection setup timeout to session/policy store (CA directory) should be 10 seconds, however based on analysis it using 10ms. This results in failures connecting to the session/policy/key store across the data center.

There is known issue for policy/key/session store LDAP binds with fail-over servers in place on 12.52 SP1 and it is fixed in 12.52SP1CR1.

As a work around try connecting only one LDAP store if it's non prod environment and if it is production use LDAPPingTimeout in smregistry.

Resolution:

Please find the temporary workaround by adding the following to the sm.registry (LDAPPingTimeout) in case of production.

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug=1032831252

Console= 0; REG_DWORD

LDAPPingTimeout= 0x64; REG_DWORD

And for Permanent fix, kindly upgrade your policy server to R12.52 SP1 CR01