UIM hub tunnel disconnects after a very short time and will not reconnect until the hub is restarted

book

Article ID: 36082

calendar_today

Updated On:

Products

DX Infrastructure Management NIMSOFT PROBES

Issue/Introduction

Problem: 

After successfully connecting a new UIM hub (7.x or later) with an SSL tunnel, the hub will be seen to turn red in Infrastructure Manager, and cannot be communicated with.  The hub will not recover until the entire service is manually restarted.

Environment:  

This specific behavior has been observed with Juniper SRX Firewalls but could affect any environment which uses a "stateful" or "session-aware" firewall.

Cause: 

The root cause is a session inactivity timeout set at the firewall level.

For the Juniper SRX firewall, this is controlled by the "inactivity-timeout" keyword in the firewall's application configuration rules.  The default (if no inactivity-timeout) is 30 seconds, but this may be configured to a higher value.  Other firewalls may have similar default values.

The UIM hub manages the suspension and timeout of its own sessions, and session management at the firewall level can interfere with this process.

Resolution:

The resolution is to set the inactivity timeout to "never" for the UIM-related sessions.

An example of this configuration for the Juniper SRX would be:

#

# Allow UIM Tunnel Server Traffic

#

application uim-tunnel {

    protocol tcp;

    destination-port 48003;

    inactivity-timeout never;

}

Additional Information:

Contact your firewall vendor for additional information regarding session inactivity timeouts.

Environment

Release:
Component: CAUIM