In this kind of scenario, session persistence should be enabled on the load balancer to keep all the traffic of that single request / thread to one Gateway node rather than sending half the conversation to one node and the other half to another node.
The ideal scenario where this would not be observed:
- Policy Manager attempts to connect to a VIP (Virtual IP) on a Load Balancer to reach the Gateway cluster.
- The Load Balancer hosting the VIP then relays the first few client packets to the first Gateway node, including the "Client Hello" packet near the beginning of the handshake process.
- As the first few packets are acknowledged (ACK), the Policy Manager then sends the next few packets to the VIP to continue the handshake process.
- The next wave of packets to the VIP continue on to the same Gateway the conversation originally went to so it has complete context of the communication - most importantly the actual handshake.
The load balancer should be configured for session persistence. Please review vendor documentation on the load balancer to enable that functionality. A quick overview of this "best practice" for the load balancer configuration fronting the Gateway is in the Gateway product documentation.
Customers of the CA SaaS Portal & SaaS Gateway: In the CA SaaS infrastructure, the port to clients should use in Policy Manager after the Gateway hostname is 9443 rather than the usual 8443, as 9443 is the port configured for session persistence inside of the CA SaaS infrastructure.