When trying to rotate or synchronize one or more target accounts on a device in PAM, the following error occurs. Other accounts on the same device can synchronize and their passwords be rotated successfully.

PAM-CM-1341: Failed to establish a communications channel to the remote host.

The accounts which could no longer be synchronized were locked via the faillock mechanism on the target device.

With the Tomcat log level set to INFO, the following was observed in the Tomcat logs at the time the issue occurred.

2025-09-15T15:31:10.715+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.SSHUserInfoImpl.promptPassword T83589 - jsch: password prompt: 'Password for [email protected]'
2025-09-15T15:31:14.850+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.SSHConnector$1.log T83589 - jsch: Login trials exceeds 1
2025-09-15T15:31:14.850+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.SSHConnector$1.log T83589 - jsch: Disconnecting from LinuxDevice1.example.com port 22

On the Linux server, the faillock command showed the account was locked.

# faillock --user demo-account
demo-account:
When            Type     Source     Valid
Timestamp 1     TTY      /dev/tty1  V
Timestamp 2     TTY      /dev/tty1  V
Timestamp 3     TTY      /dev/tty1  V

To unlock the account on the target device, use the faillock command below.

# faillock --user demo-account --reset
# faillock --user demo-account
demo-account:
When            Type     Source     Valid