IDM Loses Connection To the User Store
Article ID: 108093
Updated On:
Products
CA Identity Manager
CA Identity Governance
CA Identity Portal
Issue/Introduction
We are seeing IDM fail tasks and lose connection to the user store.
The server log captures the following message:
ERROR [ims.llsdk.directory.jndi] (http-0.0.0.0-8080-6) Failed to connect to LDAP directory ldap://XXXXXXXX:8094 ldap://XXXXXXX.xxxx.com:8094
Reason: Address already in use: connect
We can connect to the user store using an ldap browser and get to records so there does not appear to be an issue with the CA Directory service
Environment
CA Identity Manager 14.x
Resolution
Windows has 2 types of ports, Static(locked and no other software can use) and Ephemeral(a pool of ports that all software can use, first come first serve).
IM speaks to Directory using an Ephemeral port, and then gives it back and gets another when it needs to communicate.
The problem is if too many software are using these ports they can all be used up.
There are 2 primary solutions:
1. Create a bigger pool of ports
2. Decrease the length of time Windows waits to give back the port
TcpTimedWaitDelay -
https://technet.microsoft.com/en-us/library/cc938217.aspx
There are a few other secondary options:
You also need to be careful that none of your software that needs a Specific(Static) Port, that port is in the Ephemeral Port Range.
Here are a few link for Ephmeral Ports for Different Windows OS versions:
2008 https://support.microsoft.com/en-us/help/929851/the-default-dynamic-port-range-for-tcp-ip-has-changed-in-windows-vista
2012 https://support.microsoft.com/en-us/help/3014399/various-network-and-computer-issues-occur-when-tcp-ephemeral-ports-are
2016 https://support.microsoft.com/en-us/help/929851/the-default-dynamic-port-range-for-tcp-ip-has-changed-in-windows-vista
IM speaks to Directory using an Ephemeral port, and then gives it back and gets another when it needs to communicate.
The problem is if too many software are using these ports they can all be used up.
There are 2 primary solutions:
1. Create a bigger pool of ports
2. Decrease the length of time Windows waits to give back the port
TcpTimedWaitDelay -
https://technet.microsoft.com/en-us/library/cc938217.aspx
There are a few other secondary options:
- MaxUserPort - https://technet.microsoft.com/en-us/library/cc938196.aspx
- TCPWindowSize - https://technet.microsoft.com/en-us/library/cc938219.aspx
- MaxFreeTcbs - https://technet.microsoft.com/en-us/library/cc938178.aspx
- MaxHashTableSize - https://technet.microsoft.com/en-us/library/cc938176.aspx
You also need to be careful that none of your software that needs a Specific(Static) Port, that port is in the Ephemeral Port Range.
Here are a few link for Ephmeral Ports for Different Windows OS versions:
2008 https://support.microsoft.com/en-us/help/929851/the-default-dynamic-port-range-for-tcp-ip-has-changed-in-windows-vista
2012 https://support.microsoft.com/en-us/help/3014399/various-network-and-computer-issues-occur-when-tcp-ephemeral-ports-are
2016 https://support.microsoft.com/en-us/help/929851/the-default-dynamic-port-range-for-tcp-ip-has-changed-in-windows-vista
Feedback
Yes
No
Powered by
