SSL証明書が原因でVaronis FPolicyが繰り返し切断される
環境
- ONTAP 9
- Varonis FPolicy
問題
- FPolicyが切断されており、接続を確立できません。
- 再起動/再有効化すると、すぐに無効に戻ります。
- コントローラFPolicyログには次のものが含まれます。
[kern_fpolicy:info:7675] [virtual smdb_error fpolicy_appcfg_policy_status_db_iterator::notify_imp(smdb_cdb_iterator::operation)] operation: [create]
[kern_fpolicy:info:7675] No Vserver present with vserver ID 11. Adding new Vserver. [0x0x806c46500] src/fsm/fsm_task.cc:4226
[kern_fpolicy:warning:7675] Fpolicy server[10.200.XX.XXX] object provided for adding to external engine [0x0x806c46500] src/fsm/fsm_external_engine.cc:3606
[kern_fpolicy:info:7675] Policy enabled with policy polId = 1. [0x0x806c46500] src/fsm/fsm_task.cc:4354
[kern_fpolicy:error:7675] connect failed. errno = 61 [0x0x80807b500] src/fsm/fsm_external_engine.cc:5357
[kern_fpolicy:error:7675] Establish TCP connection returned error.[0x0x80807b500] src/fsm/fsm_external_engine.cc:5011
[kern_fpolicy:error:7675] connect failed. errno = 61 [0x0x80807b500] src/fsm/fsm_external_engine.cc:5357
[kern_fpolicy:error:7675] Establish TCP connection returned error.[0x0x80807b500]
- コントローラのEMS /イベントログには次の情報が記録されます。
[Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "FPolicy server is removed from external engine." ).
[Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "Connection to FPolicy server is broken(EPIPE) received." ).
[Cluster1-01: fpolicy: fpolicy.server.connectError:error]: Node failed to establish a connection with the FPolicy server "10.200.XX.XXX" of policy "varonis" for Vserver VS1 (reason: "TCP Connection to FPolicy server failed.").
[Cluster1-01: mgwd: mgmt.fpolicy.policy.disabled:info]: FPolicy policy varonis is disabled on Vserver VS1.
[Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "FPolicy server is removed from external engine." ).
[Cluster1-01: mgwd: mgmt.fpolicy.policy.enabled:info]: FPolicy policy varonis is enabled on Vserver VS1.
[Cluster1-01: fpolicy: fpolicy.server.connectError:error]: Node failed to establish a connection with the FPolicy server "10.200.XX.XXX" of policy "varonis" for Vserver VS1 (reason: "TCP Connection to FPolicy server failed.").
[Cluster1-01: mgwd: mgmt.fpolicy.policy.disabled:info]: FPolicy policy varonis is disabled on Vserver VS1.
[Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "FPolicy server is removed from external engine." ).
- 次のコマンドで
security ssl show
は 、のダッシュ(-)が表示されています。- 発行元認証局(CA)
- 証明書のシリアル番号、
- 証明書の共通名、
- SSL Server Authentication Enabled が falseに設定されている場合
例:
Cluster1::security ssl> show -vserver VS1
Server Certificate Issuing CA: -
Server Certificate Serial Number: -
Server Certificate Common Name: -
SSL Server Authentication Enabled: false
SSL Client Authentication Enabled: false
Online Certificate Status Protocol Validation Enabled: false
URI of the Default Responder for OCSP Validation:
Force the Use of the Default Responder URI for OCSP Validation: false
Timeout for OCSP Queries: 10s
Maximum Allowable Age for OCSP Responses (secs): unlimited
Maximum Allowable Time Skew for OCSP Response Validation: 5m
Use a NONCE within OCSP Queries: true