• Initial login attempts to vIDM fail with a 504 gateway timeout error.
• Retring the login moments later it succeeds without delay
• The horizon logs show a socket timeout exception similar to:
  
  [com.vmware.horizon.common.api.token.SuiteToken.isRevoked] <GreenBox> <correlation_id: > <tenant_id: > <client_ip: > <username: > <device_id: > - Not able to check suite token revocation with the url : https:///SAAS/API/1.0/REST/auth/token?attribute=isRevoked
java.net.SocketTimeoutException: Read timed out
  
  
• NSX logs show an upstream timeout:
  
  [error] ... upstream timed out (110: Connection timed out) while reading response header from upstream

vIDM 3.3.7

During the login process, the vIDM application attempts to validate the user's security token by making an API call to its own Public FQDN

The request was sent from the vIDM server to the Load Balancer. However, because the server resides in the same network segment as the Load Balancer's target pool, the network dropped the return traffic (Asymmetric Routing).

The vIDM application waits for the default TCP timeout of 300 seconds (5 minutes) before failing. Once the request timed out, the system cached the partial data, allowing subsequent logins to work temporarily until the cache expired.

To resolve the issue:

1) snapshot the vidm applaicens as best practise precaution.

2) Update the /etc/hosts file on each vIDM appliance to append an entry for the vIDM's Public FQDN/LB address on its localhost line beginning 127.0.0.1

3) Restarted the Horizon Workspace service to flush the Java DNS cache and apply the fix.

service horizon-workspace restart