Active Directory Update or Verify communication failure for all accounts


Article ID: 223464


Updated On:


CA Privileged Access Manager (PAM)


Password resets for Target accounts are failing and we are unable to create new PAM target accounts for users. Any attempt to verify or update an Active Directory target account from the PAM UI fails after a while with a "Communication Failure" error.

The tomcat log shows timeout errors in class


All calls into Active Directory get hung on a common lock.


Affected Releases : 3.4.1-3.4.3, 4.0.0


This problem is fixed in PAM 3.4.4+, see the following item on page Resolved Issues in 3.4.4:

2707978 DE503873 
Over time, attempts to update and verify target accounts stop working and the PAM administrator receives a "communication failure" error. Additionally, accessing session recordings causes excessively high memory usage.

For PAM 3.4.0-3.4.3 upgrade to release 3.4.4 or 3.4.5 will resolve the problem. For PAM 4.0.0, upgrade to 4.0.1 will resolve it, see page Resolved Issues in 4.0.1.

For a standalone node, a reboot should resolve the problem, at least temporarily.

If observed on a cluster primary site node, either reboot the node in the active cluster (not advisable if there are two primary cluster nodes), or turn the cluster off, and then turn it on again.

Additional Information

The tomcat log, which can be downloaded from Configuration > Diagnostics > Diagnostic Logs > Download will show timeout errors similar to the following. Note specifically the time-out in the class on line 75.

Sep 08, 2021 1:31:21 PM runTargetManager
WARNING: Stack trace of Target Manager thread at time of time-out interrupt: