Skip to main content
NetApp Knowledge Base

ONTAP 9.8 with OKM: Giveback fails intermittently due to keys missing

Views:
384
Visibility:
Public
Votes:
0
Category:
fas-systems
Specialty:
hw
Last Updated:

Issue

  • ONTAP 9.8 node with OKM fails to import onboard key hierarchy during boot
Tue Oct 05 12:06:01 -0500 [Clus-02: sysinit_thread: crypto.debug:info]: cryptomod key table initialized with room for 10 keys (0 pages).
Tue Oct 05 12:06:01 -0500 [Clus-02: sysinit_thread: crypto.ssal.failed:alert]: SSAL operation failed: SSAL Unseal operation failed.
Tue Oct 05 12:06:01 -0500 [Clus-02: sysinit_thread: crypto.debug:info]: Onboard key hierarchy import failed: failed to create NKEK: 31.
Tue Oct 05 12:06:01 -0500 [Clus-02: sysinit_thread: crypto.okmrecovery.failed:alert]: ERROR: Import of the onboard key hierarchy failed: failed to import key hierarchy. Additional information: error: ssal unseal failedWed Oct 05 12:10:01 -0500 [Cluster01-01: cf_giveback: gb.sfo.veto.kmgr.keysmissing:error]: Giveback of aggregate Aggr_1 failed due to unavailability of volume encryption keys for the encrypted volumes of the aggregate on the partner node Cluster01-02.
...
Tue Oct 05 12:07:01 -0500 [Clus-02: rc: cf.fm.waitingForGB:debug]: params: {'reason': 'WFG: partner f/w state is SF_TO'}
Tue Oct 05 12:09:40 -0500 [Clus-02: clam.node.inq:info]: Cluster node (name=CS_OTH_TR2_PRD1-01, ID=1000) is in "CLAM quorum".
Tue Oct 05 12:09:40 -0500 [Clus-02: clam.node.avail.change:debug]: The availability status of node (name=CS_OTH_TR2_PRD1-01, ID=1000) changed from Unknown to Available.
...
Tue Oct 05 12:10:01 -0500 [Clus-02: monitor: monitor.globalStatus.ok:notice]: The system's global status is normal. 
​Tue Oct 05 12:10:01 -0500 [Clus-02: monitor: license.state.v2.modified:debug]: Licensing state for local node changed from false to true.​​​​

  • ONTAP 9.8 partner node vetoes SFO giveback due to keys missing 
Tue Oct 05 12:10:01 -0500 [Clus-01: cf_giveback: sfo.sendhome.subsystemAbort:alert]: The giveback operation of 'Aggr_1' was aborted by 'keymanager'
Tue Oct 05 12:10:01 -0500 [Clus-01: sfo.giveback.failed:alert]: Giveback of aggregate Aggr_1 failed due to Giveback was vetoed..
Tue Oct 05 12:10:01 -0500 [Clus-01: The giveback operation of 'Aggr_1' was aborted by 'keymanager'.
Tue Oct 05 12:10:01 -0500 [Clus-01: sfo.retry.autoGiveback:info]: Automatic giveback of SFO aggregates will be retried after 5 minutes.
​​​​...
Tue Oct 05 12:15:01 -0500 [Clus-01: cf_giveback: gb.sfo.veto.kmgr.keysmissing:error]: Giveback of aggregate Aggr_1 failed due to unavailability of volume encryption keys for the encrypted volumes of the aggregate on the partner node Cluster01-02.
Tue Oct 05 12:15:01 -0500 [Clus-01: cf_giveback: sfo.sendhome.subsystemAbort:alert]: The giveback operation of 'Aggr_1' was aborted by 'keymanager'
​​​Tue Oct 05 12:15:01 -0500 [Clus-01: The giveback operation of 'Aggr_1' was aborted by 'keymanager'.
Tue Oct 05 12:15:01 -0500 [Clus-01: sfo.giveback.attemptExceeded:alert]: Attempts for automatic giveback of SFO aggregates exceeded the maximum number (3) of allowed attempts.

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

Scan to view the article on your device