Encrypted volumes offline because of manual giveback with override vetoes
Applies to
- ONTAP 9
- Data At Rest Encryption
- Onboard Key-Manager
Issue
- During node reboot (due to any reason like maintenance, ONTAP upgrade, etc.), giveback failures are reported at regular intervals:
[node2: cf_giveback: gb.sfo.veto.kmgr.keysmissing:error]: Giveback of aggregate aggr1 failed due to the unavailability of the volume encryption keys for the encrypted volumes of the aggregate on partner node node1.
- Giveback is performed manually by overriding vetoes after which encrypted volumes go offline:
[node1: vv_apply_special18: wafl.mount.transient.error:error]: WAFL: Unable to mount volume vol1, UUID 2075XXXX-XXXX-XXXX-XXXX-XXXXXXXXea91 due to Encryption key error.. Volume is taken offline due to transient errors.
- If this is during the upgrade, ANDU can pause :
cluster1::> cluster image show-update-progress
Estimated Elapsed
Update Phase Status Duration Duration
-------------------- ----------------- --------------- ---------------
Pre-update checks completed 00:10:00 00:00:52
ONTAP updates completed 02:34:00 02:06:29
Post-update checks paused-on-error 00:10:00 00:40:38
Details:
Post-update Check Status Error-Action
-------------------- ----------------- --------------------------------------
Volume Health Status Error Error: Volumes are found to be not
online after the upgrade.
Action: Check for volumes not online
in the cluster.
Status: Paused - An error occurred in "Post-update checks" phase. The update cannot continue until the error has been resolved. Resolve all issues, then use the "cluster image resume-update" command to resume the update.
- Command
security key-manager key show
(deprecated in ONTAP 9.6) shows the following error:
Error: One or more nodes have onboard key management keys that need to be restored. Run the "security key-manager onboard sync" command to restore the onboard key hierarchy on those nodes.