000022092 - Very slow failover from primary RSA ClearTrust LDAP datastore to backup datastore

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022092
Applies ToRSA ClearTrust 5.5.3 Data Adapter Active Directory
connection.disableservertime is set to a low value, like 30000
IssueVery slow failover from primary RSA ClearTrust LDAP datastore to backup datastore
Machine with primary LDAP datastore fails (powered off)
Users cannot authenticate
ResolutionIf a primary datastore completely fails (the machine is powered off and TCP connections are NOT being refused with an RST response) the failover time to the secondary data store might be quite long. The LDAP failover time can be explained with the following formula:

defaulttimeout (ms) * retrycount ) * number_of_connections_open_to_the_datastore

The defaulttimeout and retrycount can be configured in ldap.conf (see below). The max. number of open data connections can be configured there as well.

The amount of time it takes for a failover to occur heavily depends on the number of connections open with the datastore. The higher the number, the longer it will take for the failover to occur.

Now, knowing that, it is possible to "tune" ldap.conf so that the maximum number of open connections doesn't grow too big. At the same time, set the defaulttimeout values to something lower, so that CT won't wait too long for an answer from the LDAP server.

In addition, in the agent configuration file, make sure that you configure the value of cleartrust.agent.auth_server_timeout to something higher than the maximum failover time. Depending on your environment, this value should be set to a couple of minutes at the very least.

Here a couple of values that may be used in order to reduce the failover time.

In ldap.conf:

cleartrust.data.ldap.directory.activedirectory2.connection.startconnections    :5
cleartrust.data.ldap.directory.activedirectory2.connection.ondemandconnections :2
cleartrust.data.ldap.directory.activedirectory2.connection.minfreeconnections  :1
cleartrust.data.ldap.directory.activedirectory2.connection.defaulttimeout      :2000
cleartrust.data.ldap.directory.activedirectory2.connection.retrycount          :2
cleartrust.data.ldap.directory.activedirectory2.connection.retryinterval       :100

In webagent.conf:

cleartrust.agent.auth_server_timeout=5 Minutes

It is possible to obtain a failover time of about 40 + 40 seconds with the values above. No
te that you'll have to adapt those values to your environment. Also, make sure the value of the following:

cleartrust.data.ldap.directory.activedirectory.connection.disableservertime

is set to at least ten minutes. Otherwise the failover algorithm will try to re-establish the connection to the primary datastore too often, leading to further delays.
Legacy Article IDa26826

Attachments

    Outcomes