lca25
Visitor.
2112 views

5057 ERROR_SERVICE_UNREACHABLE

Hi

We're running SSPR v4.2.0.2 b265 r39344 appliances, and are getting the following error:

[INDENT]ERROR, health.ApplianceStatusChecker, {#,health} error communicating with client 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: Connect to 172.17.0.1:9443 [/172.17.0.1] failed: connect timed out)[/INDENT]

Is there something that we forgot to do?

Regards
0 Likes
7 Replies
Knowledge Partner
Knowledge Partner

Re: 5057 ERROR_SERVICE_UNREACHABLE

Where are you seeing this? Is this a new appliance, I presume? Also, I
presume that is the IP address of your appliance; can you access that URL
from another client (your web browser)?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
lca25
Visitor.

Re: 5057 ERROR_SERVICE_UNREACHABLE

These are new appliances (four, two for development). They all show IP address 172.17.0.1, which I am assuming is docker.
0 Likes
lca25
Visitor.

Re: 5057 ERROR_SERVICE_UNREACHABLE

This error seems to occurs only when a member of the pwmAdminGroup logs in.
0 Likes
Knowledge Partner
Knowledge Partner

Re: 5057 ERROR_SERVICE_UNREACHABLE

Perhaps by being part of that group the system is trying to do more
information gathering, and those queries are timing out. Can the logging
be turned up, or can you get ndstrace output (LDAP specifically) to see if
a query against eDirectory is coming back slowly?


ndstrace
set dstrace=nodebug
dstrace +time =tags +ldap
dstrace file on
set dstrace=*r
#perform test causing error here
dstrace file off
quit


The default file path will be /var/opt/novell/eDirectory/log/ndstrace.log
unless you have a different 'vardir' (instance directory) set for eDirectory.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
lca25
Visitor.

Re: 5057 ERROR_SERVICE_UNREACHABLE

We've upgraded (installed new appliance) SSPR v4.3.0.1 b363 r39539 and still see this error. I'm thinking its more of a certificate or routing issue, not an eDirectory issue.

The error:
[INDENT]September 5, 2018, 2:43:47 PM GMT+1, ERROR, health.ApplianceStatusChecker, {#,health} error communicating with client 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: Connect to 172.17.0.1:9443 [/172.17.0.1] failed: connect timed out)
[/INDENT]
The routing:
[INDENT]vuh-lb-ssprdev:~ # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway.herts.a 0.0.0.0 UG 0 0 0 eth0
147.197.108.0 * 255.255.255.0 U 0 0 0 eth0
172.17.0.0 * 255.255.0.0 U 0 0 0 docker0[/INDENT]

The routing stipulates that 172 destined traffic goes via docker0

So attempted connections from commandline:
# curl http://172.17.0.1:9443
curl: (52) Empty reply from server

# curl https://172.17.0.1:9443
curl: (60) SSL certificate problem: unable to get local issuer certificate

# w3m https://172.17.0.1:9443
unable to get local issuer certificate: accept? (y/n)
Bad cert ident from 172.17.0.1: dNSName={our server name...} : accept? (y/n)
...

Could this be the issue?
0 Likes
Knowledge Partner
Knowledge Partner

Re: 5057 ERROR_SERVICE_UNREACHABLE

On 09/05/2018 08:46 AM, lca25 wrote:
>
> We've upgraded (installed new appliance) SSPR v4.3.0.1 b363 r39539 and
> still see this error. I'm thinking its more of a certificate or routing
> issue, not an eDirectory issue.
>
> The error:
>
> September 5, 2018, 2:43:47 PM GMT+1, ERROR,
> health.ApplianceStatusChecker, {#,health} error communicating with
> client 5057 ERROR_SERVICE_UNREACHABLE (error while making http request:
> Connect to 172.17.0.1:9443 [/172.17.0.1] failed: connect timed out)
>
> The routing:
>
> vuh-lb-ssprdev:~ # route


Please use 'ip route' in the future; it is better, and clearer, and will
handle more-advanced routing, if applicable, properly.

> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> default gateway.herts.a 0.0.0.0 UG 0 0 0
> eth0
> 147.197.108.0 * 255.255.255.0 U 0 0 0
> eth0
> 172.17.0.0 * 255.255.0.0 U 0 0 0
> docker0
>
> The routing stipulates that 172 destined traffic goes via docker0


Specifically 172.17.x.x traffic, yes.

> So attempted connections from commandline:
> # curl http://172.17.0.1:9443
> curl: (52) Empty reply from server


This is invalid, since the 9443 port uses TLS/SSL but you specified 'http'
which means the client (curl) would not sent the SSL Client Handshake, so
you get what you got.

> # curl https://172.17.0.1:9443
> curl: (60) SSL certificate problem: unable to get local issuer
> certificate


This looks correct unless the cert used by TCP 9443 has been incorporated
into the system. I do not have an appliance to use for testing.

> # w3m https://172.17.0.1:9443
> unable to get local issuer certificate: accept? (y/n)
> Bad cert ident from 172.17.0.1: dNSName={our server name...} : accept?
> (y/n)


Perhaps, I suppose. I do not use the appliance so I do not know why that
port would be checked by SSPR, but I would assume it should just work. If
not you could potentially add the CA certificate to your system, but the
question is "where"? If this is SSPR itself complaining and it is an
appliance install then I would think that it would have the certs built in
by default.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
lca25
Visitor.

Re: 5057 ERROR_SERVICE_UNREACHABLE

lca25;2472175 wrote:
Hi

We're running SSPR v4.2.0.2 b265 r39344 appliances, and are getting the following error:

[INDENT]ERROR, health.ApplianceStatusChecker, {#,health} error communicating with client 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: Connect to 172.17.0.1:9443 [/172.17.0.1] failed: connect timed out)[/INDENT]

Is there something that we forgot to do?

Regards


Yes, probably...we forgot to allow the 172.17.0 subnet through when locking down the network via the Appliance Administration UI (port 9443) Access Restrictions. We now don't see this fail anymore.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.