ONTAP Discussions

VServer connection to FPolicy Server fails, NetApp Release 8.3.2RC2 cDOt

robfstephenson
7,338 Views

Hi, I just enabled Varonis to collect some stats - it had been disabled for some months as it was deemed to causing latency.

However, it has stopped working - anyone have any ideas?- neither the netapp filer fpolicy or varonis config has been altered.

The external engines can see the filer and it can see them.

 

 

Vserver       Policy Name               Number  Status   Engine
------------- ----------------------- --------  -------- ---------

PG7-Cluster3  Varonis                        1  on       fp_ex_eng

 

8/2/2017 11:19:43   PG7NETAPPP04-03  WARNING       fpolicy.server.disconnect: Connection to the Fpolicy server '10.13.110.220' is broken ( reason: 'FPolicy server is removed from external engine.' ).
8/2/2017 11:19:42   PG7NETAPPP04-01  WARNING       fpolicy.server.disconnect: Connection to the Fpolicy server '10.13.110.220' is broken ( reason: 'FPolicy server is removed from external engine.' ).
8/2/2017 11:19:42   PG7NETAPPP04-02  WARNING       fpolicy.server.disconnect: Connection to the Fpolicy server '10.13.110.220' is broken ( reason: 'FPolicy server is removed from external engine.' ).
8/2/2017 11:19:42   PG7NETAPPP04-04  WARNING       fpolicy.server.disconnect: Connection to the Fpolicy server '10.13.110.220' is broken ( reason: 'FPolicy server is removed from external engine.' ).

 

So

 

engine-connect -node PG7NETAPPP04-03 -vserver PG7-Cluster3 -policy-name Varonis -server 10.13.110.220

 

Result:

 

vserver fpolicy show-engine -vserver PG7-Cluster3 -node PG7NETAPPP04-02 -fields disconnect-reason,server-status,disconnected-since,disconnect-reason
node            vserver      policy-name server        server-status disconnected-since disconnect-reason
--------------- ------------ ----------- ------------- ------------- ------------------ ----------------------------------------
PG7NETAPPP04-02 PG7-Cluster3 Varonis     10.13.110.220 disconnected  8/2/2017 14:19:40  TCP Connection to FPolicy server failed.

 

 

 show-engine -vserver PG7-Cluster3 -node PG7NETAPPP04-02 -fields disconnect-reason,server-status,disconnected-since,disconnect-reason-id
node            vserver      policy-name server        server-status disconnected-since disconnect-reason                        disconnect-reason-id
--------------- ------------ ----------- ------------- ------------- ------------------ ---------------------------------------- --------------------
PG7NETAPPP04-02 PG7-Cluster3 Varonis     10.13.110.220 disconnected  8/2/2017 16:13:26  TCP Connection to FPolicy server failed. 9307

 

 

 ping -destination 10.13.110.220
10.13.110.220 is alive

 

6 REPLIES 6

Patrick_L
6,966 Views

Hi Rob, I would check the Varonis logs for more info. The account you use to connect may be locked out (password change?), or, if the server was turned off intentionally, perhaps the services on it were disabled.

 

Regarding any latency issues caused by Varonis, I recommend reaching out to Varonis support (support@varonis.com) for assistance here. They'll help you tune your configuration to resolve this.

GidonMarcus
6,945 Views

Hi

 

After adding the cluster to the Varonis. you must restart the following service for the Varonis to start listening on the dedicated Cdot HTTP/S ports.

 

 

Varonis.png

G

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

vkinic
6,040 Views

I have checked the recommendation provided by you. Even after restarting the varonis collect monitor services the fpolicy server is still showing as disconnected. I have add the fpolicy server to allow http traffic in firewall policy. But still no luck. 

 

If I try to execute the below command I am getting an error like "TCP connection to fpolicy server  failed" in event logs.

 

vserver fpolicy engine-connect -node <node_name> -vserver <vserver_name> -policy-name varonis -server <IP address of fpolicy server>

 

We are using Data ontap 8.3.2P10 version.

 

Any help is highly appreciated.

vkinic
6,002 Views

Any solution for this.

vkinic
5,969 Views

We have performed the below steps so far.

 

1) Added the varonis server to allow http connection in Firewall policy.
2) Configured secondary varonis server in fpolicy
3) Disabled and enable fpolicy services
4) Restarted the services "varonis collector monitor" in varonis server
5) Checked with Networks team to verify whether any TCP connections are getting failed from Source (Netapp Data Lif IP) to Destination (Varonis Server). No flap or glitches observed by networks team.
6) Tried to connect fpolicy engine - But no luck.

 

The same steps we followed in another Netapp box and the issue got resolved.

vkinic
5,929 Views

Did anyone find solution for this issue. Any help is highly appreciated.

Public