Node Timeout While Connecting to (KMIP) External Key Manager
Applies to
- ONTAP 9
- External Key Management (EKM) / KMIP configurations
Issue
::> security key-manager external show-status output:
Node: nascls032-n03Vserver: nascls032KeyServerPort: 5696KMIP is operational: falseReason: IOKeyServer Role Server Status Reason----------------------------------------------10.176.175.121 primary not-responding IO10.223.204.26 primary not-responding IO
EMS logs:
[node01:mgwd:km.keyserver.notavailable:alert]: The external key management server "10.xx.yy.121:5696" is not available for Vserver "vserver01", status: "not-responding".[node01:mgwd:km.keyserver.notavailable:alert]: The external key management server "10.xx.yy.26:5696" is not available for Vserver "vserver01", status: "not-responding".
KMIP2 client logs:
ERR: kmip2::kmipCmds::KmipConnection:[cryptsoftErrorCb]: Error: kmip_ssl_conn_do_handshake: 10.xx.xy.121ERR: kmip2::tables::kmip_keyserver_status:[setKeyServerStatus]: Received an exception in setting up TLS connection: IO(10) Cryptsoft error code 10 = IOError: TCP connection never established, TLS handshake cannot begin.
- TCP connectivity tests from affected node timed out, while partner node succeeded.