Problem: 

After successfully connecting a new UIM hub (7.x or later) with an SSL tunnel, the hub will be seen to turn red in Infrastructure Manager, and cannot be communicated with.  The hub will not recover until the entire service is manually restarted.

Environment:  

This specific behavior has been observed with Juniper SRX Firewalls but could affect any environment which uses a "stateful" or "session-aware" firewall.

Cause: 

The root cause is a session inactivity timeout set at the firewall level.

For the Juniper SRX firewall, this is controlled by the "inactivity-timeout" keyword in the firewall's application configuration rules.  The default (if no inactivity-timeout) is 30 seconds, but this may be configured to a higher value.  Other firewalls may have similar default values.

The UIM hub manages the suspension and timeout of its own sessions, and session management at the firewall level can interfere with this process.

Resolution:

The resolution is to set the inactivity timeout to "never" for the UIM-related sessions.

An example of this configuration for the Juniper SRX would be:

#

# Allow UIM Tunnel Server Traffic

#

application uim-tunnel {

    protocol tcp;

    destination-port 48003;

    inactivity-timeout never;

}

Additional Information:

Contact your firewall vendor for additional information regarding session inactivity timeouts.