Varonis FPolicy disconnecting repeatedly due to SSL Certificate

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 267

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: NAS

Last Updated:

Applies to

ONTAP 9
Varonis FPolicy

Issue

FPolicy is broken and cannot establish connection.
Restart / Re-enable reverts back to disabled shortly after.
The controller FPolicy logs contain:

[kern_fpolicy:info:7675] [virtual smdb_error fpolicy_appcfg_policy_status_db_iterator::notify_imp(smdb_cdb_iterator::operation)] operation: [create]

[kern_fpolicy:info:7675] No Vserver present with vserver ID 11. Adding new Vserver. [0x0x806c46500] src/fsm/fsm_task.cc:4226

[kern_fpolicy:warning:7675] Fpolicy server[10.200.XX.XXX] object provided for adding to external engine [0x0x806c46500] src/fsm/fsm_external_engine.cc:3606

[kern_fpolicy:info:7675]  Policy enabled with policy polId = 1. [0x0x806c46500] src/fsm/fsm_task.cc:4354

[kern_fpolicy:error:7675] connect failed. errno = 61 [0x0x80807b500] src/fsm/fsm_external_engine.cc:5357

[kern_fpolicy:error:7675] Establish TCP connection returned error.[0x0x80807b500] src/fsm/fsm_external_engine.cc:5011

[kern_fpolicy:error:7675] connect failed. errno = 61 [0x0x80807b500] src/fsm/fsm_external_engine.cc:5357

[kern_fpolicy:error:7675] Establish TCP connection returned error.[0x0x80807b500]

The controller EMS/Event log contains:

[Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "FPolicy server is removed from external engine." ).

[Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "Connection to FPolicy server is broken(EPIPE) received." ).

[Cluster1-01: fpolicy: fpolicy.server.connectError:error]: Node failed to establish a connection with the FPolicy server "10.200.XX.XXX" of policy "varonis" for Vserver VS1 (reason: "TCP Connection to FPolicy server failed.").

[Cluster1-01: mgwd: mgmt.fpolicy.policy.disabled:info]: FPolicy policy varonis is disabled on Vserver VS1.

[Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "FPolicy server is removed from external engine." ).

[Cluster1-01: mgwd: mgmt.fpolicy.policy.enabled:info]: FPolicy policy varonis is enabled on Vserver VS1.

[Cluster1-01: fpolicy: fpolicy.server.connectError:error]: Node failed to establish a connection with the FPolicy server "10.200.XX.XXX" of policy "varonis" for Vserver VS1 (reason: "TCP Connection to FPolicy server failed.").

[Cluster1-01: mgwd: mgmt.fpolicy.policy.disabled:info]: FPolicy policy varonis is disabled on Vserver VS1.

[Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "FPolicy server is removed from external engine." ).

The command security ssl show is showing dashes ( - ) for
- the issuing Certificate Authority (CA),
- certificate serial number,
- certificate common name,
- and SSL Server Authentication enabled is set to false

Example:

Cluster1::security ssl> show -vserver VS1

Server Certificate Issuing CA: -

Server Certificate Serial Number: -

Server Certificate Common Name: -

SSL Server Authentication Enabled: false

SSL Client Authentication Enabled: false

Online Certificate Status Protocol Validation Enabled: false

URI of the Default Responder for OCSP Validation:

Force the Use of the Default Responder URI for OCSP Validation: false

Timeout for OCSP Queries: 10s

Maximum Allowable Age for OCSP Responses (secs): unlimited

Maximum Allowable Time Skew for OCSP Response Validation: 5m

Use a NONCE within OCSP Queries: true