Azure Cluster Fails to Assign VIP
search cancel

Azure Cluster Fails to Assign VIP

book

Article ID: 135926

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

When starting a PAM cluster the VIP fails to be assigned. In the cluster logs there are messages like the ones below stating that the VIP failed to be assigned. 


Cluster Log Messages:

  • PAM-CMN-2953: WARNING: I should own the VIP but I do not. Assuming the VIP...
  • PAM-CMN-2933: Making attempt 10 to assign the VIP to this cluster member...
  • PAM-CMN-2939: SEVERE: Assigning the VIP to this cluster member failed.
  • PAM-CMN-2940: SEVERE: VIP assignment failure limit reached! No further attempts will be made to assign the VIP to this cluster member until the next cluster restart!

Environment

PAM Cluster in Azure

Cause

PAM clusters in Azure require an available Private IP and a static Public IP for the VIP address. There are a few possible problems that can cause the VIP to fail to be assigned.


  1. The Private IP configured in PAM may have been assigned to another VM
  2. The Public IP may not have been created correctly
  3. There may be a permissions problem with the "App Registration"

Resolution


  1. Ensure that the Private IP configured in PAM is not in use by another VM. Due to the way Azure DNS works the Private IP used for the PAM VIP is not reserved when a Cluster is shut down. Even if this IP worked previously, the Private IP may be automatically assigned to another VM in the subnet by Azure DNS.
    - The Private IP status can be checked by navigating to Virtual Networks and selecting the network PAM exists in. If the list is long it is possible to search the IP to see it.
  2. Confirm that the Public IP was created correctly. See the "Azure Cluster Requirements" link below and check the "Create VIP for each Azure Region" section for how to create the Public IP
  3. The "App Registration" needs to be added as a "Contributor" on the Resource Group where PAM and the Virtual Network exists. If the App Registration does not have permissions over both the PAM VMs and the Virtual Network it will fail. See the "Configure an Azure Connection" link below and for info on how to configure the App Registration role.


Azure Cluster Requirements:

https://docops.ca.com/ca-privileged-access-manager/3-3/EN/deploying/set-up-a-cluster/cluster-deployment-requirements#ClusterDeploymentRequirements-AzureClusterRequirements

Configure an Azure Connection:

https://docops.ca.com/ca-privileged-access-manager/3-3/EN/deploying/deploy-a-vhd-on-azure/configure-an-azure-connection/

Powered by Wolken Software