Symantec Privileged Access Management

  • 1.  Login with PAM Client is slow in closed environment

    Broadcom Employee
    Posted Jan 17, 2018 07:59 PM

    Customer has closed environment. (i.e has no connection to external internet). When login to PAM with PAM Client, there is significant delay in login process. Login process is much faster from station that have internet connection.

     

    In client log, noticed following information.

    2018-01-12 17:44:46 INFO  - java.net.UnknownHostException: checkip.amazonaws.com     syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      at java.net.AbstractPlainSocketImpl.connect(Unknown Source)     syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      at java.net.PlainSocketImpl.connect(Unknown Source)     syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      at java.net.Socket.connect(Unknown Source)     syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      at com.ca.xsuite.launcher.K.c(Unknown Source)     syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      at com.ca.xsuite.launcher.d.i.a(Unknown Source)     syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      at com.ca.xsuite.launcher.D.q(Unknown Source)     syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      at com.ca.xsuite.launcher.D.p(Unknown Source)     syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      at com.ca.xsuite.launcher.D.o(Unknown Source)     syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      at com.ca.xsuite.launcher.D.a(Unknown Source)     syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      at com.ca.xsuite.client.XsuiteClientBrowser$8.run(Unknown Source)     syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)     syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)     syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      at java.lang.Thread.run(Unknown Source)     syserr [Thread-12] 2018-01-12 17:44:46 INFO  -      syserr [Thread-12]

    From what i found so far. It seems when login with PAM Client, it will retrieve basic information which include user`s network information(private IP and public gateway IP). private IP can be retrieved locally while public gateway IP is retrieved via external service(I guess PAM Client contact checkip.amazonaws.com).

    Because it is closed environment, client cannot connect to external resource till timeout. I believe that is where delay come from. 

     

    Is my understanding correct or there is other cause that i have missed?

    And more important how do we mitigate this delay? any workaround?

     

     

    Any input is appreciated.

     

     

    Best Regards

    Jerry



  • 2.  Re: Login with PAM Client is slow in closed environment
    Best Answer

    Broadcom Employee
    Posted Jan 19, 2018 08:15 AM

    Hello Jerry,

     

    I can reproduce in my lab the "java.net.UnknownHostException: checkip.amazonaws.com" while login to PAM Client when there is no Internet connection.

     

    The Access Agent when loaded, attempts to retrieve the user's gateway address by contacting http://checkip.amazonaws.com

     

    However there should not be any noticeable delay while running the PAM Client in a properly configured non-Internet environment.

     

    Please make sure that the machine the PAM Client is running on is having a default gateway configured which is on the same subnet as the box.

    Also confirm that the ping from the machine the PAM Client is installed on to the PAM server is not more than 1ms to experience a speedy login and session.

     

    Should the issue remain, please do not hesitate to open a formal Support Case with us and we can have a closer look.