由于SSL证书、Varonis FPolicy反复断开连接

最后更新
另存为PDF

Views:

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas<a>Varonis Fpolicy</a><a>2010095519</a>

Last Updated:

适用场景

ONTAP 9
Varonis FPolicy

问题描述

FPolicy已断开、无法建立连接。
重新启动/重新启用会很快恢复为禁用状态。
控制器FPolicy日志包含：

[kern_fpolicy:info:7675] [virtual smdb_error fpolicy_appcfg_policy_status_db_iterator::notify_imp(smdb_cdb_iterator::operation)] operation: [create]
 [kern_fpolicy:info:7675] No Vserver present with vserver ID 11. Adding new Vserver. [0x0x806c46500] src/fsm/fsm_task.cc:4226
 [kern_fpolicy:warning:7675] Fpolicy server[10.200.XX.XXX] object provided for adding to external engine [0x0x806c46500] src/fsm/fsm_external_engine.cc:3606
 [kern_fpolicy:info:7675]  Policy enabled with policy polId = 1. [0x0x806c46500] src/fsm/fsm_task.cc:4354
 [kern_fpolicy:error:7675] connect failed. errno = 61 [0x0x80807b500] src/fsm/fsm_external_engine.cc:5357
 [kern_fpolicy:error:7675] Establish TCP connection returned error.[0x0x80807b500] src/fsm/fsm_external_engine.cc:5011
 [kern_fpolicy:error:7675] connect failed. errno = 61 [0x0x80807b500] src/fsm/fsm_external_engine.cc:5357
 [kern_fpolicy:error:7675] Establish TCP connection returned error.[0x0x80807b500]

控制器EMS/事件日志包含：

[Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "FPolicy server is removed from external engine." ).
 [Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "Connection to FPolicy server is broken(EPIPE) received." ).
 [Cluster1-01: fpolicy: fpolicy.server.connectError:error]: Node failed to establish a connection with the FPolicy server "10.200.XX.XXX" of policy "varonis" for Vserver VS1 (reason: "TCP Connection to FPolicy server failed.").
 [Cluster1-01: mgwd: mgmt.fpolicy.policy.disabled:info]: FPolicy policy varonis is disabled on Vserver VS1.
 [Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "FPolicy server is removed from external engine." ).
 [Cluster1-01: mgwd: mgmt.fpolicy.policy.enabled:info]: FPolicy policy varonis is enabled on Vserver VS1.
 [Cluster1-01: fpolicy: fpolicy.server.connectError:error]: Node failed to establish a connection with the FPolicy server "10.200.XX.XXX" of policy "varonis" for Vserver VS1 (reason: "TCP Connection to FPolicy server failed.").
 [Cluster1-01: mgwd: mgmt.fpolicy.policy.disabled:info]: FPolicy policy varonis is disabled on Vserver VS1.
 [Cluster1-01: fpolicy: fpolicy.server.disconnect:error]: Connection to the FPolicy server "10.200.XX.XXX" of policy "varonis" is broken for Vserver VS1 ( reason: "FPolicy server is removed from external engine." ).

命令 security ssl show 显示的短划线(-)
- 颁发证书颁发机构(CA)、
- 证书序列号、
- 证书公用名、
- 并且 SSL服务器身份验证已启用 设置为 false

示例：

Cluster1::security ssl> show -vserver VS1

Server Certificate Issuing CA: -

Server Certificate Serial Number: -

Server Certificate Common Name: -

SSL Server Authentication Enabled: false

SSL Client Authentication Enabled: false

Online Certificate Status Protocol Validation Enabled: false

URI of the Default Responder for OCSP Validation:

Force the Use of the Default Responder URI for OCSP Validation: false

Timeout for OCSP Queries: 10s

Maximum Allowable Age for OCSP Responses (secs): unlimited

Maximum Allowable Time Skew for OCSP Response Validation: 5m

Use a NONCE within OCSP Queries: true