Errors "failed to connect to host "[email protected]<dh_host>" (10071), retrying..."

book

Article ID: 125276

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction


All of a sudden all device see the following error

12:21:[email protected] 04 2018 - failed to connect to host "[email protected]<ip_or_name_of_dh>" (10071), retrying...

Ports are open, and DH is working fine. What might be the issue ?

Cause

One of the causes for this problem could be the firewall between the ENTM server and the endpoint is activated after the initial deployment.

Environment

CA PIM 12.8.X, 19.X, 14.X and PAM SC 14.X

Resolution

In order for communication to take place, it does not suffice that a given endpoint is referencing in its options the DH server, but the DH server must be aware to be acting as such. So please verify the following

  • If the DH server that the endpoints are pointing to is [email protected]<ip_or_name_of_dh>, please do
selang
host [email protected]
setoptions -list

and verify that the isdh flag is set to YES. If it is not, then please do

setoptions is_dh+ 
 
  • Verify that the endpoints are pointing to the correct DH. To do this do, and one of the failing endpoints
selang
setoptions -list

and verify that in the options there is a DH entry pointing to the right DH, that is [email protected]<ip_or_name_of_dh>

It is also very important to make sure that the DMS and DH are consistent. In the same way that the is_dh flag must be set to YES at the DH, we need to make sure that the is_dms is set to NO in the same DH database.

Conversely, any DMS machine must have the isdms flag to YES and the isdh flag to NO. You can verify that by doing
 
selang
host [email protected]
setoptions -list
 
A common cause of errors is that the DMS has got the isdh and isdms both set to yes. That may prevent updates from being propagated to the subscribed DH and thus to be delivered to endpoints.
 
As a next step if the above does not help in resolving the problem, verify if stopping firewall services between ENTM and the endpoint helps to establish the communication. If stopping the firewall is not possible, refer to the product documentation and open the required ports in bi-directional mode.  

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-identity-manager/12-9-02/reference/used-ports.html