Fpolicy Error: "Establish TCP connection returned error", because Data LIF service-policy is missing the data-fpolicy-client service

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 3,409

Visibility:: Public

Votes:: 2

Category:: ontap-9

Specialty:: nas

Last Updated:

Applies to

ONTAP 9.8 or higher
FPolicy
Varonis
Cloud Insight WorkLoad Security (CI)

Issue

ONTAP is not sending FPolicy requests to the FPolicy server.

EMS Logs will exhibit failure to connect for affected vserver

reason: "TCP Connection to FPolicy server failed."

mgwd: mgmt.fpolicy.policy.enabled:info]: FPolicy policy Varonis is enabled on Vserver VS1.
fpolicy: fpolicy.server.connectError:error]: Node failed to establish a connection with the FPolicy server "10.10.10.10"
 of policy "Varonis" for Vserver VS1 (reason: "TCP Connection to FPolicy server failed.").
mgwd: mgmt.fpolicy.policy.disabled:info]: FPolicy policy Varonis is disabled on Vserver VS1.

Fpolicy-mlog-txt.gz errors show that ONTAP tries to connect to primary and secondary fpolicy servers, but can't establish TCP connection. After hitting max retries, the fpolicy server disconnects.

[kern_fpolicy:warning:7468] Fpolicy server[10.10.10.10] object provided for adding to external engine [0x0x806476100] src/fsm/fsm_external_engine.cc:3248 [kern_fpolicy:warning:7468] Fpolicy server[10.10.10.20] object provided for adding to external engine [0x0x806476100] src/fsm/fsm_external_engine.cc:3248 [kern_fpolicy:info:7468] Policy enabled with policy polId = 2. [0x0x806476100] src/fsm/fsm_task.cc:3948 [kern_fpolicy:error:7468] connect failed with errno = 51. [0x0x805938700] src/fsm/fsm_external_engine.cc:4987 [kern_fpolicy:error:7468] Establish TCP connection returned error.[0x0x805938700] src/fsm/fsm_external_engine.cc:4627 [kern_fpolicy:info:7468] Connect to Server[10.10.10.10] hit max retries Setting the state to SERVER_DISCONNECTED. [0x0x805937d00] src/fsm/fsm_external_engine.cc:2472 [kern_fpolicy:info:7468] [virtual smdb_error fpolicy_appcfg_server_status_db_iterator::notify_imp(smdb_cdb_iterator::operation)] operation: [create], policy: [2] [kern_fpolicy:info:7468] updateStatusTable[disconnect]:: Created entry vs[4] policy[Varonis] server[10.10.10.10] [0x0x805937d00] src/fsm/fsm_external_engine.cc:4608 [kern_fpolicy:error:7468] connect failed with errno = 51. [0x0x805937d00] src/fsm/fsm_external_engine.cc:4987 [kern_fpolicy:error:7468] Establish TCP connection returned error.[0x0x805937d00] src/fsm/fsm_external_engine.cc:4627 [kern_fpolicy:info:7468] Connect to Server[10.10.10.20] hit max retries Setting the state to SERVER_DISCONNECTED. [0x0x805937d00] src/fsm/fsm_external_engine.cc:2472

Following error can be seen in fpolicy-mlog-txt.gz as well:

[kern_fpolicy:error:5758] LIF_availability_check call Failed with error[-1]. [0x0x80593bc00] src/fsm/fsm_external_engine.cc:4875 [kern_fpolicy:error:5758] Establish TCP connection returned error.[0x0x80593bc00] src/fsm/fsm_external_engine.cc:4778

[kern_fpolicy:info:5758] updateStatusTable[disconnect]:: Created entry vs[4] policy[cloudsecure_cifs-fs011_policy] server[<IP>] [0x0x80593c100] src/fsm/fsm_external_engine.cc:4759 [kern_fpolicy:error:5758] connect failed with errno = 51. [0x0x80593c600] src/fsm/fsm_external_engine.cc:5138
Packet Trace capture shows that TCP handshake looks like it's successful, but we don't see the Negotiate request/response.
The FPolicy server requests the connection be closed with [FIN, ACK].
After the TCP connection is closed, the FPolicy server tries again to establish a TCP connection. This process continues on loop.

Establish TCP connection returned error on ONTAP

Example of successful TCP connection, Negotiate req/response, and Screen req:

Policy server tries again to establish a TCP connection