Symantec Access Management

 View Only

Tech Tip : CA Single Sign-On : Failing back LDAP store type #1 to server 10.0.0.1:8000

  • 1.  Tech Tip : CA Single Sign-On : Failing back LDAP store type #1 to server 10.0.0.1:8000

    Broadcom Employee
    Posted May 22, 2019 08:57 AM

    Question:

     

    We're running a Policy Server and we see the Policy Server writing
    logs line like :

     

    [smldaputils.cpp:1029][INFO][sm-Server-04410] Failing back LDAP
    store type #1 to server '10.0.0.1:8000'.

     

    At that time, you observe high response time. The Policy Store shows
    statistics of :

     

    [0] 20190514.065800.849 STATS : Assocs 1 NilCredit 0 Queue 0+0 MWQ
    0/0 Active 1 Ops 6 Entries 4 Mem 23/14 CPU Seconds 60/60 CPU kTicks
    1

    [0] 20190514.042000.358 STATS : Assocs 1 NilCredit 0 Queue 0+0 MWQ
    0/0 Active 1 Ops 6 Entries 4 Mem 21/14 CPU Seconds 60/60 CPU kTicks
    1

    [0] 20190514.022000.846 STATS : Assocs 1 NilCredit 0 Queue 0+0 MWQ
    0/0 Active 0 Ops 6 Entries 4 Mem 21/14 CPU Seconds 60/60 CPU kTicks
    1

     

    This issue occurs at night with traffic at the lowest.

     

    Why the fail back occurs ?

     

    Answer:

     

    At first glance, this can occur indeed if the Key Store closes
    connection. As per design, Policy Server won't terminate a connection
    when the Policy or Key Store closes the connection on its ends.

    As such the Policy Server will still try to use the broken connection,
    and seeing that it is broken, it will report an LDAP error and make a
    new connection to the same server right after.

     

    You should consider to investigate if something happens on the OS or
    on the network, as we see the same line almost exactly 2 hours later.

     

    Additional Information:


    Further reading about the related topics :

     

    Policy Server reports error : Error# '81' during search: 'error: Can't contact LDAP server'
    https://comm.support.ca.com/kb/policy-server-reports-error-error-81-during-search-error-cant-contact-ldap-server/kb000008010

     

    SMPS logs is reporting failover and failback, however can?t determine which type of repository is failing over
    https://comm.support.ca.com/kb/smps-logs-is-reporting-failover-and-failback-however-cant-determine-which-type-of-repository-is-failing-over/kb000038541

     

    LDAP Stores :: Failover
    https://comm.support.ca.com/kb/ldap-stores-failover/kb000049848

     

    How to Configure a CA Directory Key Store

    https://docops.ca.com/ca-single-sign-on/12-8/en/installing/install-a-policy-server/configure-ldap-directory-servers-as-policy-session-and-key-stores/configure-an-ldap-directory-server-as-a-key-store/how-to-configure-a-ca-directory-key-store


    Defects Fixed in 12.52 SP1 CR09
    00849582 DE317504
    Policy Server intermittently fails to connect to CA Directory policy store, session store, and user store, and displays the LDAP Error 81 error.
    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-52-sp1-cr09

     

     

    KB : KB000132530