Symantec Access Management

Tech Tip : CA Single Sign-On : Web Agent not failing back to recovered Policy Servers 

Mar 22, 2018 11:46 AM

Issue:

We run 3 Policy Servers and our Web Agents are connecting to them, as we defined them in HCO in order: PS1, PS2, PS3, with Failover option set to Yes.

We found that sometimes the Web Agents are not able to failback to recovered Policy Servers.

To illustrate this, suppose we have the following Policy Servers defined following your HCO :


   PS1 -- (suppose it is currently down)
   PS2
   PS3

 

When the Web Agent is initialized, it will try to connect first to PS1. As it is currently down, it will fail to connect to it and the Web Agent will attempt to connect to Policy Server PS2, which is available. As expected the initialization will complete correctly. The Web Agent will send requests to the Policy Server PS2. When PS1 is recovered and up again, the Web Agent will not fail back to the Policy Server PS1 and it will continue sending requests to PS2. Why is this behavior and how can I fix this ?

 

Environment:

Web Agent : lower than 12.52SP1CR06

 

Cause:

During Web Agent initialization, the Web Agent marks the Policy Server PS1 as "Failed" since this Policy Server is not available. After, since the Web Agent is able to connect to the Policy Server PS2, PS2 is marked as "Active". And the Web Agent won't try to connect to the Policy Server PS3 since the Web Agent has found already an "Active" Policy Server (PS2). The Web Agent marks PS3 as "Disabled".

 

The Web Agent Connection Service thread won't consider "Failed" Policy Servers again, but it will monitor only the Active/Inactive/Disabled Policy Servers only. That is the reason why the Web Agent doesn't try to contact the Policy Server PS1 again.

Resolution:

 

This behaviour is changed starting from R12.52 SP1 CR06. The Web Agent will now mark the "Failed" Policy Servers as "Disabled" instead. As such, the Web Agent Connection Service thread will try to connect to the Policy Server PS1 when this one will be available again.

 

As workaround, the first Policy Server PS1 could be added as well as PS4 in the HCO, so when PS2 and PS3 are marker as "failed" then the Web Agent will try to connect the Policy Server 1 instance if this one is back online.

Also, a restart of the Web Agent will solve the issue, if the Policy Server PS1 is back online.

 

Additional Information:

From cumulative notes on 12.52SP1CR06:

 00216581     DE143166    Web Agent is not failing back to the first Policy Server and requests are not processed successfully when starting the first Policy Server.

 

Defects Fixed in 12.52 SP1 CR06

 

KD : KB000006584

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.