Symantec Access Management

  • Private Community
 View Only

  • 1.  policy server not communicationg policy store

    Posted Nov 19, 2020 02:56 AM
    Hi 

    SMPS.logs showing policy server not communicating policy store, what are the reason, how to fix this issue.
    how to communicating policy server and policy store.

    Regards,
    Naresh


  • 2.  RE: policy server not communicationg policy store

    Posted Nov 21, 2020 12:56 AM
    Hi All

    Please update below mail

    Regards,
    Naresh
    Original Message


  • 3.  RE: policy server not communicationg policy store

    Broadcom Employee
    Posted Nov 23, 2020 10:41 AM
    I would recommend breaking down the communication problem into smaller pieces, ordered chronologically.

    A connection goes through the following process and protocols:

    • DNS: Look up remote host name in DNS
    • TCP: Connect to the remote host
    • TLS: Optionally negotiate transport layer security
    • APP: Authenticate to the remote system

    Check if each process is successful and returns the expected result.

    For DNS, check if the IP address the expected one. Use tools like nslookup or dig. Request both A (IPv4) and AAAA (IPv6) records. Check if "resolving" based on the "hosts" file (/etc/hosts)?

    For TCP, check if the network connection is successful. Use tools like nc (netcat), ncat, telnet. If connection is failing then check if the remote system is actually listening on the desired port. Check remote system firewall. Check network path using a tool like traceroute and compare ICMP-based traceroute to TCP-based traceroute on the desired port to see if an intermediate firewall is blocking the connection.

    For TLS, check the remote certificate. Use a tool like "openssl s_client" to connect to the remote system and negotiate TLS. Check for certificate validation errors.

    For APP, check that the login credentials still work. Use the appropriate tool to connect and authenticate to the remote service, e.g. ldapsearch for LDAP-based policy stores or a database-specific tool. Alternatively, use Policy Server tools like smldapsetup or odbctest in the Policy Server's "bin" directory.

    You can really start at any point in the process and "bisect" the problem. For example, you can start at the TLS stage. If the TCP connection fails and TLS is never attempted, then troubleshoot the TCP side. If TLS seems successful, then troubleshoot the APP (authentication) side.

    Hope this helps,
    Brian Dyson

    ------------------------------
    Security Integration & Adoption, Software Architect
    Broadcom
    ------------------------------

    Original Message