Symantec Access Management

Expand all | Collapse all

policy server not communicationg policy store

  • 1.  policy server not communicationg policy store

    Posted 12 days ago

    SMPS.logs showing policy server not communicating policy store, what are the reason, how to fix this issue.
    how to communicating policy server and policy store.


  • 2.  RE: policy server not communicationg policy store

    Posted 10 days ago
    Hi All

    Please update below mail


  • 3.  RE: policy server not communicationg policy store

    Broadcom Employee
    Posted 8 days ago
    I would recommend breaking down the communication problem into smaller pieces, ordered chronologically.

    A connection goes through the following process and protocols:

    • DNS: Look up remote host name in DNS
    • TCP: Connect to the remote host
    • TLS: Optionally negotiate transport layer security
    • APP: Authenticate to the remote system

    Check if each process is successful and returns the expected result.

    For DNS, check if the IP address the expected one. Use tools like nslookup or dig. Request both A (IPv4) and AAAA (IPv6) records. Check if "resolving" based on the "hosts" file (/etc/hosts)?

    For TCP, check if the network connection is successful. Use tools like nc (netcat), ncat, telnet. If connection is failing then check if the remote system is actually listening on the desired port. Check remote system firewall. Check network path using a tool like traceroute and compare ICMP-based traceroute to TCP-based traceroute on the desired port to see if an intermediate firewall is blocking the connection.

    For TLS, check the remote certificate. Use a tool like "openssl s_client" to connect to the remote system and negotiate TLS. Check for certificate validation errors.

    For APP, check that the login credentials still work. Use the appropriate tool to connect and authenticate to the remote service, e.g. ldapsearch for LDAP-based policy stores or a database-specific tool. Alternatively, use Policy Server tools like smldapsetup or odbctest in the Policy Server's "bin" directory.

    You can really start at any point in the process and "bisect" the problem. For example, you can start at the TLS stage. If the TCP connection fails and TLS is never attempted, then troubleshoot the TCP side. If TLS seems successful, then troubleshoot the APP (authentication) side.

    Hope this helps,
    Brian Dyson

    Security Integration & Adoption, Software Architect