search cancel

409 null null errors for multiple A2A clients

book

Article ID: 255064

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We are getting 409 null null errors on multiple A2A clients that used to work in the past. The clients use an external VIP to register with/connect to PAM.

Environment

Release : 4.0.2, but affects any PAM release

Cause

This is related to how PAM determines the source IP of a connecting A2A client using X-Forwarded-For headers, see KB 125564. When the connections came in through the external VIP, the header did not contain the A2A client IP, but a common network node IP. This caused many incoming connections to be associated with the wrong device, because it also had been registered with the same IP. A service restart on one node could overwrite the fingerprint of an existing A2A client entry, matched by IP, breaking a previously working client.

Resolution

Make sure your X-Forwarded-For headers are set correctly to point back to the original Source IP, the A2A client node. If this cannot be controlled when using an external VIP, an alternative is to configure multiple specific PAM server addresses in the A2A client configuration file, see documentation page Configure A2A Client Failover in a Multisite Cluster. If you have the problem already, please raise a case with PAM Support to get it addressed.