Previous Topic: Modify the Number of Connections Provided by Policy Servers

Next Topic: How the Policy Server Threading Model Works

Sample Calculations for Sockets and Maximum Connections

The following sections provide examples of how to calculate the needed number of sockets for Agents and the maximum connections for Policy Servers.

IIS and Sun Java Systems Examples

If there is one Web Agent, and thus one trusted host, connecting to the Policy Server, and the MaxSocketsPerPort setting is 20, then there will be a maximum of 20*1 = 20 open sockets. Even if multiple Agent identities are created within that Web Agent, as long as there is only one smhost.conf file, only one set of sockets will be opened to the Policy Server. If there are any Web Agents using the Policy Server for failover, then MinSocketsPerPort for each trusted host must also be added (except for Apache – see below). You should also calculate the total number of sockets needed on the Policy Server if all of the Agents failover completely.

By default, the maximum number of Agent connections is 256. If the number of client connections exceeds the number that the Policy Server can accept, the Policy Server will refuse additional connections. If this occurs, then with debug tracing enabled on the Policy Server, the following message appears in the debug log for the affected service:

"Rejected connection request. Too many server threads (256) or server is
shutting down."

In addition, 500 errors appear in the browser making the request.

Apache Examples

In Apache, the number of connections is calculated as one connection per Apache child process, per trusted host. For example, if you have a maximum of 150 child processes (value of MaxClients in httpd.conf) and 1 trusted host, then there will be a maximum of 150 * 1 = 150 connections from that Agent. The maximum number of child processes (Apache agents) / MinSocketsPerPort (other agents) for other Web Agents using the Policy Server for failover must also be added to that total.

If this occurs, then with debug tracing enabled on the Policy Server, the following message appears in the debug log for the affected service:

"Rejected connection request. Too many server threads (256) or server is
shutting down."

In addition, 500 errors appear in the browser making the request.

IIS and Sun Java Systems Recommendations

For IIS and Sun Java Systems Web Agents, if all sockets in the connection pool are being used, then this usually indicates that there is a bottleneck in the back end (Policy Server, user directory, and so on). For that reason, and to limit the number of connections to the Policy Server, CA recommends against increasing MaxSocketsPerPort above the default of 20. With the default MaxSocketsPerPort (Web Agent) and Maximum Connections (Policy Server) settings, 10-15 Agent identities may connect to a single Policy Server. You must ensure that the maximum number of sockets that can be opened does not exceed the capacity of the Policy Server to accept those connections.

Apache Recommendations

For Apache Web Agents, the suggested ratio of Web Agents to Policy Servers is of 2-4 Agent identities per Policy Server, depending on the Maximum Connections setting on the Policy Server and the MaxClients setting on each Apache instance, and the number of agent identities. You must ensure that the maximum number of sockets that can be opened does not exceed the capacity of the Policy Server to accept those connections.


Copyright © 2010 CA. All rights reserved. Email CA about this topic