search cancel

PAM -- Rest API failures after configuring multiple network adapters

book

Article ID: 256248

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When we first moved our test environment to 4.0.1, we were unable to make API calls to GB8 addresses.    

Today, we switched our primary site, and initially saw the same symptom:  API calls (and all traffic to port 443) fail when connecting to GB8, but succeed on GB1.  Hotfix 4.0.1.10 is already applied on all nodes. Later on we did find that port 443 is not completely inaccessible, e.g. a telnet client will connect to port 443 on the GB8 address, but our Rest API calls continue to have problems. We have a first call to get target applications for a given device, and then a second call to get target accounts for the applications found. The first call seems to succeed, but the second call returns a 500 (internal server) error. It's possible that this error does not come from PAM, but from the web service we created to make the PAM Rest API calls. However, the same web service has no problem if we have it go to the GB1 address.

Environment

Release : 4.x

Cause

This was eventually determined to be caused by the way the PAM appliance would resolve the path in conjunction with the client's network dropping packets for a non-originating source. The issue could not be replicated outside of the clients' network.

 

Resolution

To avoid all routing issues, RestAPI traffic should use the same network IP as the general PAM clients which would be set to use the default network as a best practice. Using this address will allow the network source to use the default gateway and match the incoming source and network path.