Skip to main content
If you missed the pre-registration for NetApp MS Azure AD B2C Go Live, when you log in, the new login prompt will offer the option to register. Please note that access to your NetApp data may take up to 1 hour. Need assistance? Complete this form and select “Registration Issue” as the Feedback Category. 
NetApp Knowledge Base

Fpolicy Error: Establish TCP connection returned error on ONTAP 9.8

Views:
317
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
cifs
Last Updated:

Applies to

  • ONTAP 9.8
  • Fpolicy
  • Varonis

Issue

  • ONTAP is not sending fpolicy requests to the fpolicy server.
  • EMS Logs will exhibit failure to connect for affected vserver
    reason: "TCP Connection to FPolicy server failed."
    
    mgwd: mgmt.fpolicy.policy.enabled:info]: FPolicy policy Varonis is enabled on Vserver VS1.
    fpolicy: fpolicy.server.connectError:error]: Node failed to establish a connection with the FPolicy server "10.10.10.10"
     of policy "Varonis" for Vserver VS1 (reason: "TCP Connection to FPolicy server failed.").
    mgwd: mgmt.fpolicy.policy.disabled:info]: FPolicy policy Varonis is disabled on Vserver VS1.
    
  • Fpolicy-mlog-txt.gz errors show that ONTAP tries to connect to primary and secondary fpolicy servers, but can't establish TCP connection. After hitting max retries, the fpolicy server disconnects.

[kern_fpolicy:warning:7468] Fpolicy server[10.10.10.10] object provided for adding to external engine [0x0x806476100] src/fsm/fsm_external_engine.cc:3248
[kern_fpolicy:warning:7468] Fpolicy server[10.10.10.20] object provided for adding to external engine [0x0x806476100] src/fsm/fsm_external_engine.cc:3248
[kern_fpolicy:info:7468]  Policy enabled with policy polId = 2. [0x0x806476100] src/fsm/fsm_task.cc:3948
[kern_fpolicy:error:7468] connect failed with errno = 51. [0x0x805938700] src/fsm/fsm_external_engine.cc:4987
[kern_fpolicy:error:7468] Establish TCP connection returned error.[0x0x805938700] src/fsm/fsm_external_engine.cc:4627
[kern_fpolicy:info:7468] Connect to Server[10.10.10.10] hit max retries Setting the state to SERVER_DISCONNECTED. [0x0x805937d00] src/fsm/fsm_external_engine.cc:2472
[kern_fpolicy:info:7468] [virtual smdb_error fpolicy_appcfg_server_status_db_iterator::notify_imp(smdb_cdb_iterator::operation)] operation: [create], policy: [2] 
[kern_fpolicy:info:7468] updateStatusTable[disconnect]:: Created entry vs[4] policy[Varonis] server[10.10.10.10] [0x0x805937d00] src/fsm/fsm_external_engine.cc:4608
[kern_fpolicy:error:7468] connect failed with errno = 51. [0x0x805937d00] src/fsm/fsm_external_engine.cc:4987
[kern_fpolicy:error:7468] Establish TCP connection returned error.[0x0x805937d00] src/fsm/fsm_external_engine.cc:4627
[kern_fpolicy:info:7468] Connect to Server[10.10.10.20] hit max retries Setting the state to SERVER_DISCONNECTED. [0x0x805937d00] src/fsm/fsm_external_engine.cc:2472 

  • Packet Trace capture shows that TCP handshake looks like it's successful, but we don't see the Negotiate request/response.
  • The fpolicy server requests the connection be closed with [FIN, ACK].
  • After the TCP connection is closed, the fpolicy server tries again to establish a TCP connection. This process continues on loop.

clipboard_e97baf038a3444dbea6f345b82bbfa39d.png

 

  • Example of successful TCP connection, Negotiate req/response, and Screen req:

clipboard_e0087bb21a5f4597b9aea3b944de0e0c6.png

CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support