Errors "failed to connect to host "DH__@<dh_host>" (10071), retrying..."
Article ID: 125276
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager (PAM)
Issue/Introduction
All of a sudden all device see the following error
12:21:48@oct 04 2018 - failed to connect to host "DH__@<ip_or_name_of_dh>" (10071), retrying...
Ports are open, and DH is working fine. What might be the issue ?
Environment
CA PIM 12.8.X, 19.X, 14.X and PAM SC 14.X
Cause
One of the causes for this problem could be the firewall between the ENTM server and the endpoint is activated after the initial deployment.
Resolution
In order for communication to take place, it does not suffice that a given endpoint is referencing in its options the DH server, but the DH server must be aware to be acting as such. So please verify the following
- If the DH server that the endpoints are pointing to is DH__@<ip_or_name_of_dh>, please do
selang
host DH__@
setoptions -list
and verify that the isdh flag is set to YES. If it is not, then please do
setoptions is_dh+
host DH__@
setoptions -list
and verify that the isdh flag is set to YES. If it is not, then please do
setoptions is_dh+
- Verify that the endpoints are pointing to the correct DH. To do this do, and one of the failing endpoints
selang
setoptions -list
and verify that in the options there is a DH entry pointing to the right DH, that is DH__@<ip_or_name_of_dh>
setoptions -list
and verify that in the options there is a DH entry pointing to the right DH, that is DH__@<ip_or_name_of_dh>
It is also very important to make sure that the DMS and DH are consistent. In the same way that the is_dh flag must be set to YES at the DH, we need to make sure that the is_dms is set to NO in the same DH database.
Conversely, any DMS machine must have the isdms flag to YES and the isdh flag to NO. You can verify that by doing
selang
host DMS__@
setoptions -list
host DMS__@
setoptions -list
A common cause of errors is that the DMS has got the isdh and isdms both set to yes. That may prevent updates from being propagated to the subscribed DH and thus to be delivered to endpoints.
As a next step if the above does not help in resolving the problem, verify if stopping firewall services between ENTM and the endpoint helps to establish the communication. If stopping the firewall is not possible, refer to the product documentation and open the required ports in bi-directional mode.
Additional Information
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-identity-manager/12-9-02/reference/used-ports.html
Feedback
Yes
No
Powered by
