ONTAP 9 giveback operation was vetoed by keymanager
Applies to
- ONTAP 9
- Onboard Key Manager (OKM)
- NetApp Volume Encryption (NVE)
- NetApp Aggregate Encryption (NAE)
- Giveback operation
- NDU pause operation
Issue
- Storage giveback operation is vetoed.
- If running a ONTAP NDU, a paused-on-error may show a issue with the SFO aggregate giveback:
Error: Giveback of SFO aggregate is vetoed., Action: Use the "storage failover show-giveback" command to view the detailed veto status information. Correct the vetoed subsystem. Use the "storage failover giveback -ofnode <node>" command to complete the giveback.
-
Storage failover show-givebackindicates the giveback is vetoed by keymanager:
::*> storage failover show-giveback
Partner
Node Aggregate Giveback Status
-------------- ----------------- ---------------------------------------------
<node1>
CFO Aggregates Done
aggr1
Failed: Operation was vetoed by keymanager.
Check the event log
- Event log show may have gb.sfo.veto.kmgr.keymissing errors:
::*> event log show -node * -event gb*
Time Node Severity Event
------------------- ---------------- ------------- ---------------------------
<Time> <node> ERROR gb.sfo.veto.kmgr.keysmissing: Giveback of aggregate aggr1 failed due to unavailability of volume encryption keys for the encrypted volumes of the aggregate on the partner node
ALERT crypto.import.failed: ERROR: Import of key with key ID <key> failed. Additional information: wrapping key not found.
ALERT sfo.sendhome.subsystemAbort: The giveback operation of '<aggr>' was aborted by 'keymanager'