Reset Search
 

 
Article

KB17848 - Access issues and timeout errors when PCS devices are in a Load Balancing configuration

Printable View
« Go Back

Information

 
Last Modified Date8/1/2015 11:53 PM
Synopsis
This article explains how load balancing can be configured to route user requests to an PCS either by an external Load Balancer or Round-Robin (RR) Domain Name System (DNS).

If an external Load Balancer is used, persistence must be enabled on the Load Balancer for user access to function correctly. This ensures that all the requests from a user are directed to the same PCS. This persistence can be based on source IP or destination source, depending on the Load Balancer used.

RR DNS works by rotating the IP address order of a DNS query response when the DNS name is looked up. In the case of a non-clustered environment, this can cause the client to send requests to an PCS which does not have any session data for the user. Although session data is synced between all devices in a clustered setup, the lack of persistence can still result in unpredictable behavior. Regardless of a clustered\non-clustered setup, the user experience will be range of various client errors, slowness, and session time out messages.
Problem or Goal
The types of problems that can ensue will often vary depend on the environment, but they can range from the following:
  • The original PCS where the session was initiated will not have an accurate last access time for the user. As a result, it is possible that a user may hit the idle timer and their session will be timed out although they are actively sending traffic to the PCS. This happens when traffic is sent to an PCS that does not have any session data for the user. The last access time is what is used by the PCS to determine if the session is still active or idle.
  • User may be unable to access their applications or may experience occasional slowness when traffic is sent to an PCS other than the PCS where their session was created. This is because an SA will not respond to these requests if it does not have a session for that user.
  • If the client component has not already been downloaded, the following error could occur:
    Error: Failed to verify the downloaded application. Application cannot start.

  • Secure Meeting (SM)
    Error: You cannot access the meeting because your session has expired. Please rejoin the meeting.

  • Windows Secure Application Manager (WSAM)
    The Windows Secure Application Manager disconnected. Error Code: IDD_TIMEOUT

  • Network Connect (NC)
    The Network Connect session timed out (nc.windows.app.23790)

  • Host Checker (HC)
    User Access Log might show several disconnects due to the following:

    Year-Month-Day HR:MIN:SEC - ive - [Source IP] Root::username(Realm)[Role] - Session timed out for username/Realm (session:00000000) due to inactivity (last access at HR:MIN:SEC Year/Month/Day). Idle session identified during routine system scan.

    Error "Sorry, your session on this machine expired. To re-login, please enter your user information, otherwise for increased security please close your browser."

  • Java Secure Application Manager (JSAM)
    User may be unable to access their applications or may experience occasional slowness when traffic is sent to an SA other than the SA where their session was created.

    Error: "Session Expired"

    User-added image
    Cause
    Solution
    RR DNS is not a supported method of load balancing your PCS (clustered or non-clustered). If you require load balancing to evenly distribute the load across all your PCS devices, it is recommended that you implement the use of an external load balancer which can meet the following requirements:
    • Routes user requests to an PCS based on source-IP routing (persistence).
    • Supports IPSec.
    • Listens for traffic on multiple ports. (Ensure all three ports are grouped together and configured to terminate on the same SA in which the session was initiated.)
       
    • Can be configured to manage traffic using assigned source and destination IP addresses (not destination port).
    Note: Please refer to your specific vendor documentation for how to accomplish these requirements on your load balancer.

    If you are seeing these types of issues and you are using a load balancer with persistence enabled, collect a TCP capture on the physical adapter of the client to ensure that the persistence function on your load balancer is still operating properly.
     
    Related Links
    Attachment 1 
    Created ByData Deployment

    Feedback

     

    Was this article helpful?


       

    Feedback

    Please tell us how we can make this article more useful.

    Characters Remaining: 255