メインコンテンツへスキップ

SSL証明書が原因でVaronis FPolicyが繰り返し切断される

Views:
4
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas<a>Varonis FPolicy</a><a>2010095519</a>
Last Updated:

環境

  • ONTAP 9
  • Varonis FPolicy

問題

  • FPolicyが切断されており、接続を確立できません。
  • 再起動/再有効化すると、すぐに無効に戻ります。
  • コントローラFPolicyログには次のものが含まれます。
 
[kern_fpolicy:info:7675] [virtual smdb_error fpolicy_appcfg_policy_status_db_iterator::notify_imp(smdb_cdb_iterator::operation)] operation: [create]
[kern_fpolicy:info:7675] No Vserver present with vserver ID 11. Adding new Vserver. [0x0x806c46500] src/fsm/fsm_task.cc:4226
[kern_fpolicy:warning:7675] Fpolicy server[10.200.XX.XXX] object provided for adding to external engine [0x0x806c46500] src/fsm/fsm_external_engine.cc:3606
[kern_fpolicy:info:7675]  Policy enabled with policy polId = 1. [0x0x806c46500] src/fsm/fsm_task.cc:4354
[kern_fpolicy:error:7675] connect failed. errno = 61 [0x0x80807b500] src/fsm/fsm_external_engine.cc:5357
[kern_fpolicy:error:7675] Establish TCP connection returned error.[0x0x80807b500] src/fsm/fsm_external_engine.cc:5011
[kern_fpolicy:error:7675] connect failed. errno = 61 [0x0x80807b500] src/fsm/fsm_external_engine.cc:5357
[kern_fpolicy:error:7675] Establish TCP connection returned error.[0x0x80807b500]

 
  • コントローラのEMS /イベントログには次の情報が記録されます。
 
[Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "FPolicy server is removed from external engine." ).
[Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "Connection to FPolicy server is broken(EPIPE) received." ).
[Cluster1-01: fpolicy: fpolicy.server.connectError:error]: Node failed to establish a connection with the FPolicy server "10.200.XX.XXX" of policy "varonis" for Vserver VS1 (reason: "TCP Connection to FPolicy server failed.").
[Cluster1-01: mgwd: mgmt.fpolicy.policy.disabled:info]: FPolicy policy varonis is disabled on Vserver VS1.
[Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "FPolicy server is removed from external engine." ).
[Cluster1-01: mgwd: mgmt.fpolicy.policy.enabled:info]: FPolicy policy varonis is enabled on Vserver VS1.
[Cluster1-01: fpolicy: fpolicy.server.connectError:error]: Node failed to establish a connection with the FPolicy server "10.200.XX.XXX" of policy "varonis" for Vserver VS1 (reason: "TCP Connection to FPolicy server failed.").
[Cluster1-01: mgwd: mgmt.fpolicy.policy.disabled:info]: FPolicy policy varonis is disabled on Vserver VS1.
[Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "FPolicy server is removed from external engine." ).
 
  • 次のコマンドで security ssl show  は    、のダッシュ(-)が表示されています。
    • 発行元認証局(CA)
    • 証明書のシリアル番号
    • 証明書の共通名
    • SSL Server Authentication Enabledfalseに設定されている場合

例:

Cluster1::security ssl> show -vserver VS1
          Server Certificate Issuing CA: -
         Server Certificate Serial Number: -
          Server Certificate Common Name: -
        SSL Server Authentication Enabled: false
        SSL Client Authentication Enabled: false
Online Certificate Status Protocol Validation Enabled: false
URI of the Default Responder for OCSP Validation:
Force the Use of the Default Responder URI for OCSP Validation: false
             Timeout for OCSP Queries: 10s
Maximum Allowable Age for OCSP Responses (secs): unlimited
Maximum Allowable Time Skew for OCSP Response Validation: 5m
         Use a NONCE within OCSP Queries: true
 

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.