Introducing a Load Balancer between the Web Agent and the Policy server can cause communication failure errors that can be identified in the Web Agent Log starting with -2 followed by -1 error as seen below:

[14259/1151969248][Sun Feb 07 2016 12:58:21][CSmLowLevelAgent.cpp:546][ERROR][sm-AgentFramework-00520] LLA:SiteMinder Agent Api function failed - 'Sm_AgentApi_IsProtectedEx' returned '-2'.
[14257/1151969248][Sun Feb 07 2016 13:06:58][CSmProtectionManager.cpp:192][ERROR][sm-AgentFramework-00420]HLA: Component reported fatal error: 'Low Level Agent'.
[14257/1151969248][Sun Feb 07 2016 13:06:58][CSmHighLevelAgent.cpp:413][ERROR][sm-AgentFramework-00420] HLA:Component reported fatal error: 'Protection Manager'.
[14257/1151969248][Sun Feb 07 2016 13:07:55][CSmLowLevelAgent.cpp:1378][ERROR][sm-AgentFramework-00520]LLA:SiteMinder Agent Api function failed - 'Sm_AgentApi_LoginEx' returned'-1'.
[14257/1151969248][Sun Feb 07 2016 13:17:10][CSmLowLevelAgent.cpp:1378][ERROR][sm-AgentFramework-00520]LLA:SiteMinder Agent Api function failed - 'Sm_AgentApi_LoginEx' returned'-1'.
[14257/1151969248][Sun Feb 07 2016 13:17:10][CSmAuthenticationManager.cpp:194][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Low Level Agent'.
[14257/1151969248][Sun Feb 07 2016 13:17:10][CSmHighLevelAgent.cpp:1244][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Authentication Manager'

As a Load Balancer has been introduced between the Web Agent and the Policy server, here is what can happen:

• The Policy server has a TCP Idle Session Timeout value set to 10 min (default) which is configurable from the console.
  
  What that means is that the Policy Server will timeout an active connection from the Web Agent if no request is received on it within 10 min;
  
  
• When a Load Balancer is introduced in the middle, most of these Load Balancers have the session timeout set to 5 min; hence the problem.

The steps below explain how the problem occurs

1. The Web Agent opens a connection to the Policy Server where normal priority requests are served;
   
   
2. If the Web Agent doesn't send any request on this connection within 5 minutes, the Load Balancer will timeout the session and close the connection;
   
   
3. The problem arises as the Load Balancer doesn't notify the Web Agent or the Policy Server of this closed connection;
   
   
4. For the Policy Server, it will terminate the connection from its end after another 5 minutes (total of 10 minutes) as no connection was received from the Web Agent within the last 10 minutes.
   
   The Policy Server will notify the Web Agent that the connection was closed;
   
   
5. The problem is that the Load Balancer receives the close connection from Policy Server; however, as the Load Balancer already dropped the connection as explained in Step 3, the close request never reaches the Web Agent;
   
   
6. Now the Web Agent receives requests that he needs to process; it looks for the available connections in the pool.
   
   As the connection in question is still available, the Web Agent will process the call and, by default, will wait for 60 seconds to hear back from the Policy Server;
   
   
7. The Load Balancer receives the request from the Web Agent and, as it has already dropped the connection, it will disregard the request;
   
   
8. The Web Agent will wait for 60 seconds and as it did not receive any response, it will throw the
   
   "SiteMinder Agent API function failed - 'Sm_AgentApi_IsProtectedEx' returned '-2'
   
   Which means that the request was timed out followed by the -1 as the Web Agent will get in the re-connect mode.

To solve this issue, the Tcp Idle Session Timeout registry setting configured on the Policy Server should be less than the session timeout configured for any device between the Policy Server and the Web Agent (Load Balancer or Firewall) (1).

On Linux Policy Server, the registry is this one:

sm.registry

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer=471740537
Tcp Idle Session Timeout=                         0xa;  REG_DWORD

1. Idle Timeouts and Stateful Inspection Devices