Introducing a Load Balancer between the Web Agent and the Policy server can cause commutation failure errors that can be identified in the Web Agent Log starting with -2 followed by -1 error as seen below:
[14259/1151969248][Sun Feb 07 2016 12:58:21][CSmLowLevelAgent.cpp:546][ERROR][sm-AgentFramework-00520] LLA:SiteMinder Agent Api function failed - 'Sm_AgentApi_IsProtectedEx' returned '-2'.
[14257/1151969248][Sun Feb 07 2016 13:06:58][CSmProtectionManager.cpp:192][ERROR][sm-AgentFramework-00420]HLA: Component reported fatal error: 'Low Level Agent'.
[14257/1151969248][Sun Feb 07 2016 13:06:58][CSmHighLevelAgent.cpp:413][ERROR][sm-AgentFramework-00420] HLA:Component reported fatal error: 'Protection Manager'.
[14257/1151969248][Sun Feb 07 2016 13:07:55][CSmLowLevelAgent.cpp:1378][ERROR][sm-AgentFramework-00520]LLA:SiteMinder Agent Api function failed - 'Sm_AgentApi_LoginEx' returned'-1'.
[14257/1151969248][Sun Feb 07 2016 13:17:10][CSmLowLevelAgent.cpp:1378][ERROR][sm-AgentFramework-00520]LLA:SiteMinder Agent Api function failed - 'Sm_AgentApi_LoginEx' returned'-1'.
[14257/1151969248][Sun Feb 07 2016 13:17:10][CSmAuthenticationManager.cpp:194][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Low Level Agent'.
[14257/1151969248][Sun Feb 07 2016 13:17:10][CSmHighLevelAgent.cpp:1244][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Authentication Manager'
As a Load Balancer has been introduced between the Web Agent and the Policy server, here is what can happen:
The steps below explain how the problem occurs
- To solve this issue, the idle timeout configured on the Policy Server should be less than the session timeout configure for any device between Policy Server and Web Agent (Load Balancer or Firewall) (1).
(1)
Idle Timeouts and Stateful Inspection Devices
Stateful inspection devices, such as firewalls, generally have an
idle timeout setting. SiteMinder connections from Policy Servers to
Agents also have idle timeout settings.