I'm hoping this is a firewall issue but I figured I would check just in case I'm looking in the wrong direction.
I setup a pair non-CA replicas today and as far as I could tell everything seemed to be okay but I noticed that when searching via the web ui on the new replicas it would take 2 minutes to return information.
I the logs I noticed this time out error which is what I assumed was the culprit: [Wed Jun 07 14:48:31.155444 2017] [:error] [pid 14384] ipa: ERROR: ra.find(): Unable to communicate with CMS ([Errno 110] Connection timed out)
I can see in tcpdump connections over ldap and 8080 which should be open between the two and I wanted to verify if there should be any other ports open that aren't covered in the install instructions or maybe something I missed (7389 perhaps because its 4.x to 3.x communication).
Also I was hoping to cut down traffic across the network since the new servers are in the EU and the old ones are in the US. Are there any tips/instructions on doing something like this if its even possible?
# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: ens224 sources: services: dns http https kerberos kpasswd ldap ldaps ntp snmp ssh
Thanks!
John Bowman via FreeIPA-users wrote:
I'm hoping this is a firewall issue but I figured I would check just in case I'm looking in the wrong direction.
I setup a pair non-CA replicas today and as far as I could tell everything seemed to be okay but I noticed that when searching via the web ui on the new replicas it would take 2 minutes to return information.
I the logs I noticed this time out error which is what I assumed was the culprit: [Wed Jun 07 14:48:31.155444 2017] [:error] [pid 14384] ipa: ERROR: ra.find(): Unable to communicate with CMS ([Errno 110] Connection timed out)
I can see in tcpdump connections over ldap and 8080 which should be open between the two and I wanted to verify if there should be any other ports open that aren't covered in the install instructions or maybe something I missed (7389 perhaps because its 4.x to 3.x communication).
Also I was hoping to cut down traffic across the network since the new servers are in the EU and the old ones are in the US. Are there any tips/instructions on doing something like this if its even possible?
# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: ens224 sources: services: dns http https kerberos kpasswd ldap ldaps ntp snmp ssh
I don't see 8080 in that list. That is the port that find uses.
rob
That was it. They opened up 8080 and its working as expected. Thank you!
On Wed, Jun 7, 2017 at 12:17 PM, Rob Crittenden rcritten@redhat.com wrote:
John Bowman via FreeIPA-users wrote:
I'm hoping this is a firewall issue but I figured I would check just in case I'm looking in the wrong direction.
I setup a pair non-CA replicas today and as far as I could tell everything seemed to be okay but I noticed that when searching via the web ui on the new replicas it would take 2 minutes to return information.
I the logs I noticed this time out error which is what I assumed was the culprit: [Wed Jun 07 14:48:31.155444 2017] [:error] [pid 14384] ipa: ERROR: ra.find(): Unable to communicate with CMS ([Errno 110] Connection timed
out)
I can see in tcpdump connections over ldap and 8080 which should be open between the two and I wanted to verify if there should be any other ports open that aren't covered in the install instructions or maybe something I missed (7389 perhaps because its 4.x to 3.x communication).
Also I was hoping to cut down traffic across the network since the new servers are in the EU and the old ones are in the US. Are there any tips/instructions on doing something like this if its even possible?
# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: ens224 sources: services: dns http https kerberos kpasswd ldap ldaps ntp snmp ssh
I don't see 8080 in that list. That is the port that find uses.
rob
freeipa-users@lists.fedorahosted.org