Solution

Background

The CA API Gateway can be managed and monitored by a centralized server--the CA API Enterprise Service Manager (ESM). The Gateway and ESM communicate securely via an HTTPS API. This API requires network connectivity between the Gateway and ESM over a pre-configured TCP port. If this port is not opened between the two entities then the establishment of trust will fail.

Presentation

Status indicators on ESM's?Manage Gateways?dashboard may appear to indicate a failure. The following example illustrates a Gateway cluster in an unknown state with a single Gateway node that is unable to establish trust with the ESM appliance. The red status indicator shows that the cluster is unavailable or in an unknown state. The handshake indicator with a slash indicates that trust between ESM and the individual node has not yet been established

<Please see attached file for image>

The following error message may be visible in the ESM logs. This error message indicates that the ESM appliance was unable to request certain monitored parameters from the Gateway due to a TCP connection timeout

WARNING 24 com.l7tech.server.ems.monitoring.MonitoringConfigurationSynchronizer: Unable to push down monitoring configuration to 10.10.15.14?for node Gateway2 (30172b305c674138ba92c9039f1d0c92) of cluster 7.1.0 (5a8767fd-0859-4a56-9f35-0871d185d475) due to network error: connect timed out

Troubleshooting

The above statuses indicate that ESM cannot connect and communicate with the Gateway node. This is typically caused by one of two issues:

1. The Gateway node is not configured for remote management
2. A firewall or network device is blocking TCP traffic over a particular port between ESM and the Gateway

Verify that the Gateway node is configured for remote management as follows:

1. Log in to the Gateway appliance as the ssgconfig?user
2. Select Option #5: Display Remote Management configuration menu
3. Ensure that valid settings are configured for Listener IP Address, Listener Port, Remote Node Management Enabled, and Trusted Certificate
4. Select Option S: Save changes and exit
5. Select Option R: Reboot the SSG appliance

1. Log in to the Gateway appliance as the?ssgconfig?user
2. Select Option #3: Use a privileged shell (root)
3. Verify the Gateway is listening on the Listener IP Address and Listener Port configured previously: netstat -tnap | grep 8765

?Note: The value "8765" should reflect the port configured previously and the IP address configured previously should be visible in the output

4. Log in to the ESM appliance as the?ssgconfig?user
5. Select Option #3: Use a privileged shell (root)
6. Attempt to connect to the Listener IP Address and Listener Port configured previously: openssl s_client -connect?10.10.15.14:8765

?Note:?The values "10.10.15.14" and "8765" should respectively reflect the IP address and port configured on the Gateway node being managed.

If the OpenSSL suite returns the following output then there is a network connectivity issue between ESM and the Gateway:

socket: Connection refused
connect:errno=111

This is typically embodied by a network firewall or access control list restricting access between network segments. Please consult the internal networking team for your organization or network before opening an issue with CA Support.