000014936 - Unable to reach one of the appliances in a cluster intermittently

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014936
Applies ToRSA Key Manager Appliance 2.6
RSA Key Manager Appliance 2.5.0.3
BIG-IP F5 Load Balancer
IssueUnable to reach one of the appliances in a cluster intermittently
Load balancer setup in the same subnet as the RKM Appliances marks one of the appliances as inactive, while the other appliance is marked as active.
A Windows box on the same subnet as the RKM Appliances can connect to (/KMS, /rkmawa, /admingui on) one of the appliances without any problem (using its IP, not through the load balancer), but can only intermittently connect to the other appliance (using its real IP) that is also marked as inactive by the Load Balancer.
Other computers on different subnet than the RKM Appliances can consistently connect successfully to both appliances (through their real IP addresses).
CauseThe IP address assigned to the appliance which can not be reached intermittently, is assigned to or being used by another device on the subnet.
ResolutionRemove the rogue device using the same IP address as one of the appliances from the subnet, or assign it a different IP address.
NotesThe following steps can be taken to help troubleshoot this issue:

1. Determine MAC address being used by the RKM Appliance Ethernet interface(s):
- Log in as root via ssh
- Type in the command "ifconfig" and make a note of IP address ('inet addr') and the corresponding MAC address for Ethernet/NIC ('HWaddr')

2. Determine MAC address for the RKM Appliance being set on the BIG-IP load balancer:
- Log in to the load balancer admin console via browser
- Go to Main -> Network -> ARP -> Dynamic List
- Confirm whether or not the MAC address listed for the RKM Appliance matches with what you get from #1 above.
- If the MAC address does not match, a temporary workaround is to delete the rogue entry from the Dynamic List and manually add the RKM Appliance IP address with the correct MAC address under Static List


3. Determine MAC address for the RKM Appliance being set on a Windows box on the same subnet:
- Open a command prompt and type in the command "arp -a".  If no recent attempt has been made to connect to the RKM Appliance, the list will not show a cached entry for the RKM Appliance IP and a paired up MAC address.
- Open a browser and attempt to connect to either of /KMS, /rkmawa, or /admingui.  You may get an error that page can not be displayed.
- Type in the command "arp -a" again, and check the cache entries for the RKM Appliance IP/MAC address against what you get in #1 above.

If the MAC address assigned to the RKM Appliance IP address on either Load Balancer or Windows box do not match up with what you get in step #1 above, it is an indication of a rogue device on the same subnet configured to use the same IP as the RKM Appliance.
Legacy Article IDa48518

Attachments

    Outcomes