Latest Posts

CyberArk PAS Configuration Issues and Troubleshooting (Vault)

 This post is created to collect some issues or error messages I met and solutions I resolved them. 

  • Safe PSMRecording is out of space
  • DR Replication Error
  • DR site changed to 'inactive' due to lack of replication activity
  • PADR.ini EnableFailover=No
  • Vault Patching
  • Vault External Firewall Rules

Related posts:

PSMRecording is out of space

Safe PSMRecordings is out of space.

Log in as administrator - Safe - PSMRecordings - Open - Properties ->

PSMrecording Properties

Default size is 51200MB, changed to 251200MB


DR Replication Error

[Distributed Vault] - error 1236 master has purged binary logs containing GTIDs that the slave requires
[07/08/2020   12:56:02.412963]    ::    GetPADRWorkingDirectory returned [C:\Program Files (x86)\PrivateArk\PADR\Conf] 
[07/08/2020   12:56:02.412992]    ::    GetPADRWorkingDirectory returned [C:\Program Files (x86)\PrivateArk\PADR\Conf] 
[07/08/2020   12:56:02.417949]    ::    PADR0010I Replicate ended. 
[07/08/2020   13:00:52.663872]    ::    PADR0102E Metadata Replication encountered an error - Restart replication will be triggered. See Diagnostic Info below. 
[07/08/2020   13:00:52.663911]    ::     Last SQL Error Code: 0 
[07/08/2020   13:00:52.663930]    ::     Last SQL Error: "" 
[07/08/2020   13:00:52.663946]    ::     Last IO Error Code: 1236 
[07/08/2020   13:00:52.663969]    ::     Last IO Error: "Got fatal error 1236 from master when reading data from binary log: 'The slave is connecting using CHANGE MASTER TO MASTER_AUTO_POSITION = 1, but the master has purged binary logs containing GTIDs that the slave requires.'" 
[07/08/2020   13:00:52.664041]    ::     SQL Thread Running State: "Yes" 
[07/08/2020   13:00:52.664062]    ::     IO Thread Running State: "No" 
[07/08/2020   13:00:52.679336]    ::    PADR0009I Replicate started. 
[07/08/2020   13:00:52.679637]    ::    PADR0095I Refreshing Vault configuration files. 
[07/08/2020   13:00:52.746654]    ::    PADR0097I Refreshing Vault configuration files completed successfully. 
[07/08/2020   13:00:52.751424]    ::    GetPADRWorkingDirectory returned [C:\Program Files (x86)\PrivateArk\PADR\Conf] 
[07/08/2020   13:00:52.751455]    ::    GetPADRWorkingDirectory returned [C:\Program Files (x86)\PrivateArk\PADR\Conf] 
[07/08/2020   13:00:52.753812]    ::    PADR0010I Replicate ended. 
[07/08/2020   13:05:52.028154]    ::    PADR0102E Metadata Replication encountered an error - Restart replication will be triggered. See Diagnostic Info below. 
[07/08/2020   13:05:52.028201]    ::     Last SQL Error Code: 0 
[07/08/2020   13:05:52.028222]    ::     Last SQL Error: "" 
[07/08/2020   13:05:52.028241]    ::     Last IO Error Code: 1236 
[07/08/2020   13:05:52.028267]    ::     Last IO Error: "Got fatal error 1236 from master when reading data from binary log: 'The slave is connecting using CHANGE MASTER TO MASTER_AUTO_POSITION = 1, but the master has purged binary logs containing GTIDs that the slave requires.'" 
[07/08/2020   13:05:52.028288]    ::     SQL Thread Running State: "Yes" 
[07/08/2020   13:05:52.028307]    ::     IO Thread Running State: "No" 
[07/08/2020   13:05:52.043512]    ::    PADR0009I Replicate started. 
[07/08/2020   13:05:52.043814]    ::    PADR0095I Refreshing Vault configuration files. 
[07/08/2020   13:05:52.122958]    ::    PADR0097I Refreshing Vault configuration files completed successfully. 
[07/08/2020   13:05:52.127879]    ::    GetPADRWorkingDirectory returned [C:\Program Files (x86)\PrivateArk\PADR\Conf] 
[07/08/2020   13:05:52.127915]    ::    GetPADRWorkingDirectory returned [C:\Program Files (x86)\PrivateArk\PADR\Conf] 
[07/08/2020   13:05:52.130296]    ::    PADR0010I Replicate ended. 

Cause 

The DR service has not run for a long time. Once you start the DR service, it is not able to find the transaction logs it requires to do the metadata replication.

Resolution 

Do a full replication from the Primary Vault / Master Vault.

Reset replication in the padr.ini:

1. Delete the following lines in padr.ini: 

NextBinaryLogNumberToStartAt
LastDataReplicationTimestamp

2. Restart CyberArk Vault Disaster Recovery service

DR site changed to 'inactive' due to lack of replication activity

ITATP052W The status of the DR site (Username = DR) changed to 'inactive' due to lack of replication activity.
DR Account Activities
DR Account Activities
Once PADR issue has been resolved and replication activity was successful, this kind of message should be gone. 


Set PADR.ini EnableFailover=No

For manual failover, not auto, in case there were network outage which you are not able to control, set PADR.ini EnableFailover=No

[MAIN]
ReplicateLogonFromFile="C:\Program Files (x86)\PrivateArk\PADR\Conf\user.ini"
EnableCheck=Yes
EnableReplicate=Yes
EnableFailover=No
EnableDbsync=Yes
CheckInterval=60
CheckRetriesCount=5
CheckRetriesInterval=30
ReplicateInterval=3600
ReplicateRetriesInterval=300
AccessVaultForInactivity=Yes
FailoverMode=No

NextBinaryLogNumberToStartAt=0
LastDataReplicationTimestamp=1596827567642853 


Vault Patching

For Windows Updates - just follow the standard vault patching instructions....

Stop the vault, enable Windows Update & Windows Module Installer, Install the KB/Patch, disable the services & start the vault.



Vault External Firewall Rules



[HSM]
AllowNonStandardFWAddresses=[2.2.2.2],Yes,1792:inbound/tcp,1792:outbound/tcp

[NTP]
AllowNonStandardFWAddresses=[1.1.1.1],Yes,123:outbound/udp

[RDP]
AllowNonStandardFWAddresses=[3.3.3.3],Yes,3389:inbound/tcp,3389:outbound/tcp
AllowNonStandardFWAddresses=[3.3.3.3],Yes,3389:inbound/udp,3389:outbound/udp

[Syslog]
AllowNonStandardFWAddresses=[4.4.4.4],Yes,514:outbound/udp


[Windows Update]


No comments