FPolicy enable does not result in engine-connect with many policies for ONTAP 9

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 1,231

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

Applies to

ONTAP 9
Varonis

Issue

A large number of FPolicy Policies can cause a timing problem in internal ONTAP tables that causes some policies to be in a disconnected state.
This has been observed specifically with Varonis FPolicy software and when FPolicy policies are over 60 policies cluster wide. (based on internal lab testing). Varonis will poll via ZAPI on a regular basis to ensure all collectors are connected. When this polling takes place, the collector, based on version, sends a blanketed disconnect to all Vservers proceeded by a reconnect.
In normal situations, Varonis sends a request to enable the policy to the Vservers . When a policy is enabled, it also automatically triggers an engine-connect, the Vservers will reach out on port 2002 to establish the FPolicy session. In this particular scenario, the Vservers receives the ZAPI request “fpolicy enable” and some if not all policies stay in a disconnected state. A network trace might also show a lack of any traffic from the Vservers data LIF on port 2002 to the FPolicy server.

Active IQ System Risk Detection

For customers who have enabled AutoSupport™ on their storage systems, the Active IQ Portal provides detailed System Risk reports at the customer and site and system levels. The reports show systems that have specific risks as well as severity levels and mitigation action plans. You may be reading this article as a result of one of those alerts. If this error is present in your logs:

[mgwd: mgmt.fpolicy.replay.failed:error]: FPolicy configuration replication process failed.

And Varonis Fpolicy is used with many fpolicy policies, please consider updating to the latest Fpolicy vendor software to help mitigate this issue.