DB processing is slower leading to connection failures due to timeout (4377744)

Changes in vasd (SAS daemon) database processing is slowing down the ENT cache rebuilding. The following can be seen in logs.

Sep 9 14:14:20 hostname daemon:notice vasd[8783898]: Pwent flush of <38723> users took <20.0482> seconds, longer than vascache-ipc-timeout of <10>

1) AIX system, 5.0.7, joined with 40K users, 50 access control groups. ( Don't know yet if that's part of it, just what the customer has that could be related. ) 
2) time /opt/quest/libexec/vas/sugi/asdcom SendEntFlush 
3) Upgrade to 6.0 
4) time /opt/quest/libexec/vas/sugi/asdcom SendEntFlush 

Product Defect: 470395

Workaround:
 
1) vascache-ipc-timeout = 30.  But it might not be useful in a situation where a timeout is needed lower than 10 sec.
 
2) touch /var/opt/quest/vas/vasd/.disable_ac_group_updating. This will disable a forced update of access control groups every 15 minutes, which also triggers a rebuild. The change is safe to run in production and will not cause any outage. 
On the next run of the 15-minute interval, the file will be seen, and the update will be skipped. Access control groups will still update during the lazy-cache-update-interval, and memberships of a specific user will be queried from AD during a login. 
 
3) lazy-cache-update-interval = <minutes>. Setting this to a much larger value, like 720, for 12-24 hours between updates from AD. It defaults to 10, so every 10-20 ( time - time x 2, randomized ) minutes vasd is checking AD for changes, and could also trigger the rebuild. This is useful in a POC or quickly changing environment. hanging this is production safe and will not cause any outages. Next run it will pick up the new value and wait the configured time ( +randomized value) for the next time.
 
4) Workstation mode. This will mean less users to process, taking less time. This is a safe but a big change and not recommended for a situation where issue is already there due to timeframe and testing needed. ( If a new environment was being set up, we would suggest starting with this enabled, and only disable if needed, i.e. file server that serves everyone, or a system being used to audit all UNIX enabled AD users. )
 
The workarounds are to eliminate the times a rebuild is run, so the chances of needing the longer timeout are reduced. By default, it could be triggered as many as 10 times an hour, with these changes it would move to once every day. 

Reference KB:

https://support.oneidentity.com/kb/4292996/what-does-disable_ac_group_updating-do

FIX: To be fixed in version 6.0.2 of SAS, product defect ID 470395