Discoveries through the Secure Domain Connector are not working

Document ID : KB000004814
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We are in the process of deploying a Secure Domain Manager in our Spectrum environment. I have setup one of our SpectroSERVERs to be the Secure Domain Manager, and have configured an Secure Domain Connector in one of our DMZs. 

The SDM has been configured to receive connection requests from the SDC connector. The default certificates have been shared with the connector. After following all of the processes to configure connector it appears as though the SDC is connecting to the SDM fine, but I am not able to discover any hosts that reside in the secure domain. I'm getting an error message indicating that there is not any response from the target device.

Cause:

To troubleshoot the issue, we setup a wireshark capture from the SDC, as well as enabled debugging on the SDM and SDC logs. During the discovery of a target device, we noticed the SDC is receiving the requests from the SDM. The SDC is sending out the ICMP/SNMP requests to the target device. The target device replies back to the requests, and then we get the following error message recorded in the sdcLog.log file: 

SdmConnIcmpMultiClient::run() sendMsg returned error_code=2, sdMgrIP=xx.xx.xx.xx:6844, msgUID=581b591d-0082-1000-00ba-005056a0297b-1 

The SDM is having trouble receiving the replies back from the SDC. The wireshark packet capture shows we are holding the secure tunnel open, so it does not appear to be a firewall related issue. 

Sustaining Engineering looked up the error code and said it is defined as follows: 

SDM_MSG_RC_INVALID_TRANSPORT // The messaging transport infrastructure was invalid or not ready

The root cause is the "Accept Endpoint" on the SDM side is getting corrupt and not able to accept responses from the SDC.

Resolution:

This is resolved with patch Spectrum_10.01.01.D105. 

To get a copy of this patch, please open a case with CA Spectrum Support.