• When attempting to log in via PAM Client the authentication process does not complete.
• The login screen is continuously re-presented to the user after credentials are submitted.
• HTTPS connections to the PAM appliance via a web browsertime out with "This site can't be reached," while SSH access remains functional.
• Logs: The xcd_spfd.log or PAM Client logs may show SSL handshake not completing
• tcpdump taken from the client machine will show that there is an initial Client Hello Packet sent from client to PAM but this is never responded back with a Server Hello packet, so after 30 seconds connection is closed
• curl calls to the PAM appliance may take a long time to complete

CA PAM 4.2.1, possibly all versions

The issue may be caused caused by an incorrect or unreachable DNS configuration on the PAM appliance.

When a PAM Client sends a "Client Hello" packet, the PAM appliance (specifically the xcd_spfd process) attempts to perform some DNS queries.

If the DNS servers configured in the appliance are unreachable or invalid, the process waits for a response that never arrives.

This prevents the appliance or causes a long delay sending the "Server Hello" to complete the SSL handshake, eventually leading to a socket timeout and closure of the connection and resulting in CA PAM Client re-presenting the login screen or http web page "site unreachable" messages. Sometimes the Server Hello will be sent in time and the initial screen will be presented.

1. Verify DNS Reachability: Ensure that the DNS servers assigned to the PAM cluster are reachable from the PAM appliances' network segment.
2. If DNS is not reachable, it must be corrected, which can only be done from the GUI or by engaging support if Remote Debugging is enabled to manually change /etc/resolv.conf in the appliance. If none of this options is available, please restore the appliance to the last working configuration or reenable the DNS it is trying to use