Customer has SA6500 cluster running 7.3R7. One authentication server is pointing to a group of five RSA SecurID servers, and this has been working fine for a while. Yesterday, the customer failed over the cluster VIP and rebooted nodes, after which this authentication server stopped working. On investigation, authentication requests were being sent to one of the RSA servers, but its RSA service was broken and it was sending back ICMP Port Unreachables. However, the IVE cluster did not mark the server as "Down" but instead interpreted the response as an authentication rejection.
Is this expected behaviour? I would have thought that the sdconf.rec server load balancing should kick in and the IVE select an alternative node. What algorithm governs the selection of RSA servers? Is it possible to manually restrict the RSA servers defined in sdconf.rec on the IVE? In future, if the same conditions apply, how can my customer resolve it on the IVEs, rather than wait for RSA server administrators to find and fix the issue?