000037729 - Active Directory ADCs intermittently fail with 'LDAP response read timed out' errors in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jul 19, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037729
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.0.1, 7.0.2, 7.1.0, 7.1.1

IssueActive Directory ADCs intermittently fail with the following error when reading data (users and/or groups):
LDAP response read timed out 

Re-running the ADC manually will sometimes succeed after one of these failures. 

The following Admin error is reported in the collector run:

EC[31002] Context[Collector Name=[name of ADC], Agent Name=AveksaAgent,
Data Run ID=777Reason=com.aveksa.common.DataReadException: Error while reading user directory, cause: LDAP response read

The following errors can be seen in the aveksaServer.log:

03/24/2019 02:41:11.958 ERROR (ApplyChangesRegularThread-409540) [com.aveksa.client.datacollector.framework.DataCollectorManager] DCM281:
Collection Failed: CollectionFailedEvent[cmi = CollectionMetaInfo[\\{ID=890, run_id=777, collector_id=32, test-run=false,
collector_name=[name of ADC], data_size=32534090, data_file=/home/oracle/wildfly-
INF/LocalAgent/collected_data/890.data}] message = null cause = com.aveksa.common.DataReadException: Error while reading user directory,
cause: LDAP response read timed out, timeout used:30000ms.]com.aveksa.common.DataReadException: Error while reading user directory, cause:
LDAP response read timed out, timeout used:30000ms.    
     at com.aveksa.collector.accountdata.ADAccountDataReader.getGroupDataIterator(ADAccountDataReader.java:151)       
     at com.aveksa.collector.accountdata.ADAccountDataReader.getGroupIterator(ADAccountDataReader.java:96)       
     at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collectData(AccountDataCollector.java:434)       
     at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collect(AccountDataCollector.java:302)       
     at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collect(AccountDataCollector.java:269)       
     at com.aveksa.client.datacollector.framework.DataCollectorManager.collect(DataCollectorManager.java:536)       
     at com.aveksa.client.component.collector.DefaultCollectorManager.actUpon(DefaultCollectorManager.java:204)       
     at com.aveksa.client.component.collector.DefaultCollectorManager.handle(DefaultCollectorManager.java:102)       
     at com.aveksa.client.component.event.DefaultEventManager.handle(DefaultEventManager.java:60)       
     at com.aveksa.client.datacollector.framework.SimpleEventSource.notifyListeners(SimpleEventSource.java:67)       
     at com.aveksa.client.component.communication.DefaultCommunicationManager.notifyEvent(DefaultCommunicationManager.java:377)       
     at com.aveksa.client.component.communication.ChangeListHandler.applyChanges(ChangeListHandler.java:364)       
     at com.aveksa.client.component.communication.ChangeListHandler.access$300(ChangeListHandler.java:58)       
     at com.aveksa.client.component.communication.ChangeListHandler$ChangeApplyingRunnable.run(ChangeListHandler.java:275)       
     at java.lang.Thread.run(Thread.java:748)

Please refer to RSA Knowledge Base Article 000030327--Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the log files for your specific deployment.
CauseThe collector connection settings are not configured correctly for the specific environment.
ResolutionThere are four settings in the Active Directory Account Data Collector definition that can be modified to assist with connection and timeout issues as shown in the following screenshot:

User-added image

To resolve this error, you may need to modify one or more of these settings. In particular, the Read Timeout, Page Size and Ignore Referral settings.
  • The Connection Timeout is: The time in milliseconds a collector waits to complete the initial TCP connection handshake before the connection attempt is aborted. This setting does not need to be modified to resolve this error.

  • The Read Timeout is: The time in miliseconds a collector waits to read data after the previous read before the read attempt is aborted.  The default value for this setting is 30000 milliseconds or five minutes. Increase this setting to allow more time for the collector to read the data from the data source. Note the error message displays the timeout value: 

LDAP response read timed out, timeout used:300000ms.

  • The Page Size must not exceed MaxPageSize attribute in Active Directory Server. Default MaxPageSize in AD is 1000.The Page Size refers to the number of records read at a time. This is the number of records that need to be read within the Read Timeout setting or the read timeout will occur. Consider reducing this value to reduce the number of records being read at a time.

  • The Ignore Referral setting when checked, ignores referrals if you have them enabled in Active Directory (AD). A referral is given when a user is not in the primary Organization Unit (OU) and is in some other location. But a referral usually gives back a bad location (this is an Active Directory issue and not an RSA Identity Governance & Lifecycle issue) and then RSA Identity Governance & Lifecycle  goes into an infinite loop looking for the 'bad' location. Eventually the read timeout occurs. Check this box if you are having read timeouts in your Active Directory ADCs.