[IDN] Fail to connection the IIQ service

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi All,

I am trying to connection an IIQ to a local ad direct connection which is connected to IDN. After that, I had installed the IIQ in the same windows server and get port 5010 for my IIQ connection. Then, I press test and connection to connect the IIQ and it shown the error message as below.

image
image647×304 9.53 KB

After the failure, I tried to shutdown the IIQ from the windows server, it shows a different error message as below. I understand that the connection will not be success after I shutdown the IIQ but this error message made me believe that the IIQ are able to connection when it was active.

image
image687×373 23.5 KB

Also, I delete all the information from IQservice Setting Pages and press Test and Connection. The connection was success, so I think there are some problem about the connection between the IIQ and IDN about the Connection Reset. May I know how to fix the issue about connection reset.

image
image628×188 3.85 KB

Thank you.

Best regards,
Jacky

2

Hi Jacky,
It seems like you’re getting a timeout. You can increase the timeout settings in your source. Try increasing the timeout on your AD source by 60-90 second increments and see if that resolves the issue.
If this does not work, then you may need to check that all of your firewall rules are in place (see Securing the Active Directory Application ). Also, please check that you have updated your domain information from the default so that it is pointing to your AD environment.

[
  {
    "op": "add",
    "path": "/connectorAttributes/healthCheckTimeout",
    "value": 180
  }
]
3

Hi @choichunwing0414,

I believe this is firewall issue. Can you try to run below command from one of the VA? Put servername where IQService is installed and port could be eitherTLS or non-TLS.

sailpoint@sailpoint-va ~ $ ncat -z -v

As per doc, Communication via TCP between IdentityIQ/Virtual Appliance and IQService must be available. By default this happens on Non-TLS Port 5050, but it can be configured to use configured TLS Port. Communication via UDP and TCP between IdentityIQ/Virtual Appliance and at least one AD domain controller via LDAP must be available. By default this happens on ports 389 and 636.

Also please go through this which might help in troubleshooting.

4

Hi @choichunwing0414 , Do you have the TLS option enabled in your IQService configuration ?

5

Hi @choichunwing0414

AD source aggregation runs via LDAP on 389/636. That is why it is working without IQS (this ensures that LDAP part is ok between AD and VA, at 389 or 636).

Provisioning part occurs on IQS. Second message says that IQS is down. So, timeout can be between IQS and AD too.

Try to identify point of failure, testing connection between VA and IQS. Ensure that IQS has TLS DISABLED, and on VA shell, run:
tb start
tb session
nc -zv -w 5 <ip_IQS> <port_IQS>

6

Hi Julian,

image
image719×396 15 KB

192.168.10.10 is the IP that search by ifconfig from the Window server and I set 5010 for my port in IQ service.

After I tested your script in my VA, the connection reset message still appear once I put the IQ server IP and port into the IQ service setting.

image
image636×317 9.64 KB

Best regards,
Jacky

7

Hi Mehdi,

No, I didn’t enable the TLS.

8

Hi Jacky, nc command shows that you are not able to connect from VA to IQS. You have to check with your network team to allow VA reach 5010 port of 192.168.10.10 server.

1 Like