Provisioning Server to Connector Server connection timeout due to Firewall
search cancel

Provisioning Server to Connector Server connection timeout due to Firewall

book

Article ID: 216879

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

We have a firewall between Provisioning Server (PS) and Connector Server (CS) running the Active Directory connector to a remote domain.

After some time we are experiencing a connection timeout when PS tries to contact the AD domain via CS.

The other Connector Server is reachable without passing through a firewall works fine every time.

Etatrans log shows

20210603:172047:TID=1f1b70:Search    :D636:E634:S:+enantNotSet
20210603:172047:TID=1f1b70:Search    :D636:E634:P:     URL: ldaps://<ProvServerHost>:20391
20210603:172047:TID=1f1b70:Search    :D636:E634:P:     base-dn: eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects
20210603:172047:TID=1f1b70:Search    :D636:E634:P:+    ,dc=im
20210603:172047:TID=1f1b70:Search    :D636:E634:P:     scope  : ONE-LEVEL
20210603:172047:TID=1f1b70:Search    :D636:E634:P:     filter : (eTGlobalUserName=etaadmin)
20210603:172047:TID=1f1b70:Search    :D636:E634:P:     attrs  : <ALL>
20210603:172047:TID=1f1b70:Search    :D636:E634:F: SUCCESS: DB Search (eTGlobalUserContainerName=Global Users), entry-count: 1, attr
20210603:172047:TID=1f1b70:Search    :D636:E634:F:+ibutes: objectClass,eTGlobalUserName,eTDescription,eTUserid,eTDisablePasswordExpi
20210603:172047:TID=1f1b70:Search    :D636:E634:F:+ration,eTUserAdminProfile,eTPropagatePassword,eTPasswordExpirationDate,eTPassword
20210603:172047:TID=1f1b70:Search    :D636:E634:F:+ExpirationTime,eTEnableDate,eTDisableDate,eTDeleteDate,eTSuspended,eTwfAvailableW
20210603:172047:TID=1f1b70:Search    :D636:E634:F:+orkflow,eTHidefromABEXC,eTSelfAdminPermitted,eTAdminPermitted,eTCreateUserid,eTCr
20210603:172047:TID=1f1b70:Search    :D636:E634:F:+eateUserName,eTCreateDate,eTCreateTime,eTID,eTPasswordUpdateUserName,eTPasswordUp
20210603:172047:TID=1f1b70:Search    :D636:E634:F:+dateUserid,eTPasswordUpdateNode,eTPasswordUpdateTime,eTPasswordUpdateDate,eTEncry
20210603:172047:TID=1f1b70:Search    :D636:E634:F:+ptedPassword,eTPassword,eTUpdateUserName,eTUpdateUserid,eTUpdateDate,eTUpdateTime
20210603:172047:TID=1f1b70:Search    :S635:E634:S: Connector Server Search (eTADSDirectoryName=XXX.XXO) Requested by User etaadmin -
20210603:172047:TID=1f1b70:Search    :S635:E634:S:+ TenantNotSet
20210603:172047:TID=1f1b70:Search    :S635:E634:P:     URL: ldaps://nnn.nnn.nnn.nnn:20411
20210603:172047:TID=1f1b70:Search    :S635:E634:P:     base-dn: eTADSDirectoryName=XXX.XXO,eTNamespaceName=ActiveDirectory,dc=im
20210603:172047:TID=1f1b70:Search    :S635:E634:P:     scope  : BASE
20210603:172047:TID=1f1b70:Search    :S635:E634:P:     filter : (objectClass=*)
20210603:172047:TID=1f1b70:Search    :S635:E634:P:     attrs  : eTADSmsExchSchemaVersion, objectClass, eTSubclass, eTAllowPartialRes
20210603:172047:TID=1f1b70:Search    :S635:E634:P:+    ult
20210603:172047:TID=1f1b70:Search    :S635:E634:P:     size-limit: 5000
20210603:172047:TID=1f1b70:Search    :S635:E634:P:     time-limit: 90
20210603:172217:TID=1f1b70:Search    :S635:E634:F: FAILURE: Connector Server Search (eTADSDirectoryName=XXX.XXO)
20210603:172217:TID=1f1b70:Search    :S635:E634:F:     rc:  0x0034 (DSA is unavailable)
20210603:172217:TID=1f1b70:Search    :S635:E634:F:     msg: Connector Server Read failed: Timed out (ldaps://nnn.nnn.nnn.nnn:20411)
20210603:172217:TID=1f1b70:Search    :E634:----:F: FAILURE: External Search (eTADSDirectoryName=XXX.XXO)
20210603:172217:TID=1f1b70:Search    :E634:----:F:     rc:  0x0034 (DSA is unavailable)
20210603:172217:TID=1f1b70:Search    :E634:----:F:     msg: :ETA_E_0019<RDI>, Active Directory Endpoint 'XXX.XXO' read failed: Conne
20210603:172217:TID=1f1b70:Search    :E634:----:F:+ctor Server Read failed: Timed out (ldaps://nnn.nnn.nnn.nnn:20411)

Do we have viable solution to address this issue?

 

Environment

All Identity Manager

Cause

PS to CS connection has been dropped by the Firewall due to exceeding Firewall idle timeout.

Resolution

In the case where Firewall idle timeout is set to 5 min, which means any idle connection more than 5 min will be dropped by Firewall, the following settings were proven works.

1. In Provisioning, set "CS pool minimum size" to 0 to not allow IMPS to have any Idle connection after the expired time. Note this is under System->Domain Configuration->Connections in Provisioning Manager, but we must use JXplorer or any 3rd party LDAP Browser to set it to 0.

2. Set "Expiration Time" value in the Provisioning Manager under System->Domain Configuration->Connections to 180 seconds (3 minutes). Since the firewall will close the idle connection after every 5mins, "Expiration Time" value should be less than 5 minutes so that the monitoring thread will close any idle connection before the firewall timeout

3. set "refresh time" to 60secs along with the previous two configuration suggestions("CS pool minimum size" to 0 and "Expiration Time" to 180).

4. Restart the IMPS service

With these settings, any connection can only be idle in the pool at max "expiration time" + "refresh time", i.e. 180+60 =240 seconds.

Powered by Wolken Software