Enterprise Service Manager reports Gateway down but Gateway available
search cancel

Enterprise Service Manager reports Gateway down but Gateway available

book

Article ID: 42940

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Solution

Background

The CA API Enterprise Service Manager is capable of detecting the status of CA API Gateway appliances?that ESM is managing. It can report its status as "up" and taking traffic, "down" and processing no traffic, or "unknown" and the status is not monitored. This can give an administrator or operator a brief at-a-glance idea of the availability of a particular cluster of Gateways.

A Gateway is reported as down when?ESM is unable to communicate with the Gateway's Process Controller. The PC is a component of the appliance that monitors the status of the Gateway application, reports it to ESM, and restarts the Gateway application in the event of a failure.

Presentation

A Gateway may be reported as "down" even though it continues to process traffic and is available to a load balancer or reverse proxy. While a state of "down" in ESM does not impact the Gateway's availability for service resolution--it does make it unavailable to migrate policies to and from the cluster and prevents controlling the node's state. The first step in troubleshooting this issue involves the Manage Listen Port configuration.

Additionally, you may see the following error message presented by the ESM dashboard when attempting to configure the Gateways managed by ESM:?'Could not send Message', due to 'Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)'.?This is indicative of a cipher-specific issue and requires troubleshooting of the cipher suites and transport layer security used by certain ports, detailed below.

Troubleshooting

There are three distinct items that need to be checked for consistency and validity:

  1. The presence of a Node Control port
  2. A valid SSL/TLS configuration on that port
  3. The use of adequate cipher suites in that configuration

Node Control port

Verify the Manage Listen Ports configuration of the impacted Gateway.

  1. Log onto the Policy Manager of the impacted Gateway as an administrative user
  2. Open the?Manage Listen Ports?task
  3. Open the properties for port 2124
  4. Ensure that Node Control?and?Inter-Node Communication?is enabled
A Gateway restart should be performed if it is necessary to enable these items.

Cipher suite configuration

If that configuration is not different from the default then verify the cipher suite and version of transport layer security that the port or ports configured for?Published service message input over HTTPS-enabled ports are using. Specifically, verify that the?Default List?of cipher suites is enabled. Modifying this list may result in incompatibilities between ESM and a Gateway node.

SSL/TLS configuration

If the cipher suites cannot be restored to default or the configuration is standard then?verify whether the aforementioned ports are configured to use TLS 1.1 and TLS 1.2 simultaneously. If this is the case then?the Gateway will not implicitly trust the imported ESM certificate and additional steps will need to be taken. To complete the trust relationship between ESM and the SSG under these conditions:

  1. Log in to the Policy Manager as an administrative user
  2. Open the?Manage Certificates?task
  3. Select?Add
  4. Import the ESM certificate into the Manage Certificates task of the Gateway
  5. Set the ESM certificate to be used for Signing client certificates?and set it as a trust anchor
Lastly, disable all cipher suites that enable?Diffie-Hellman key exchange. These ciphers are indicated by the values "DH" in the cipher suite name. Once disabled, restart the Gateway service and inspect the ESM dashboard.

Environment

Release:
Component: APIESM
Powered by Wolken Software