Errors in smps logs

Document ID : KB000074762
Last Modified Date : 23/03/2018
Show Technical Document Details
Issue:
We have recently built up DR infrastructure and we are seeing below error messages in smps.log even though user is able to access the application:

SmDsLdapConnMgr.cpp:1190][ERROR][sm-LDAP-2230] Error # '81' during search: 'error: can't contact ldap server' search query = '(uid=aregula)'

We verified the user store connectivity from the Admin UI, bind and search was successful form Admin UI.  Why are we getting this error if everything seems to be working? 
Cause:
The policy server makes three connections to each user store: ping, authentication, and authorization.  The ping connection is continuously checking the health of the user store, but the other two connections will go idle when there is no user activity.  Some user stores (or devices between the policy server and the user store) will close idle connections after some time (for instance, Active Directory hosts enforce a 20 minute idle connection timeout).  Because the ping connection is still succeeding, the policy server is unaware when one of its other connections times out.  The policy server becomes aware of the closed connection the next time it attempts to use it, and this is where the error 81 occurs.  Because the ping connection is still succeeding, the policy server knows the store is available and will rebuild the connection before resending the request that resulted in the error 81.  Due to this behavior, it is normal to see occasional error 81 in a healthy environment.
Resolution:
Error 81 can occur in a healthy environment if the user store connection times out (such as for idle). If no authentication/authorization failures are occurring due to this, the error can be safely ignored.