Issue

Policy Server reporting error 81 for the user store causing failing over then back even though the primary user store is healthy.

When request is made for user store a new “Connection Manager thread” is started the thread setups 4 connections to services the defined User Store object  - labeled as LDAP BANK

• dir connection - used to bind user
• usr connection - used to search for user (disambiguate)
• ping connection - Monitor connection used only by connection manager thread
• Legacy connection - no longer used (Security Bridge)

The management thread (ping) is always active and reporting no errors, if no requests are made over one of the other connections of the LDAP_BANK IDLE out from the peer may occur or device in the middle may close the connection.  In this scenario only the ping thread connection remains established, the other three go into a close_wait state.  They will stay on close_wait until the policy server attempts to use the connection when this occurs error 81 is logged resulting in failover process takes place

Simple scenario where this occurs:  User store is Active Directory authentications method NTLM.  NTLM authentication is a trusted authentication scheme meaning IIS performs the authentication, Policy Server trusts the authentication performing authorization – result is the “Dir” connection does not get used - IDLE out.

Resolution:

Addressed in two bugs

• 120170 - R12.52 SP1 CR 2  (NOTE: Issue was built previously, not listed in the readme)
• 142119 – future release R12.52 SP2

Summary of Change:

To fix the above issue, code was added to check if current server is reachable or not, and if it reachable, trying to reconnect to existing server instead of next server and avoiding failover to next server.