That was it.  They opened up 8080 and its working as expected.  Thank you!

On Wed, Jun 7, 2017 at 12:17 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> John Bowman via FreeIPA-users wrote:
> > I'm hoping this is a firewall issue but I figured I would check just in
> > case I'm looking in the wrong direction.
> >
> > I setup a pair non-CA replicas today and as far as I could tell
> > everything seemed to be okay but I noticed that when searching via the
> > web ui on the new replicas it would take 2 minutes to return information.
> >
> > I the logs I noticed this time out error which is what I assumed was the
> > culprit:
> > [Wed Jun 07 14:48:31.155444 2017] [:error] [pid 14384] ipa: ERROR:
> > ra.find(): Unable to communicate with CMS ([Errno 110] Connection timed
> out)
> >
> > I can see in tcpdump connections over ldap and 8080 which should be open
> > between the two and I wanted to verify if there should be any other
> > ports open that aren't covered in the install instructions or maybe
> > something I missed (7389 perhaps because its 4.x to 3.x communication).
> >
> > Also I was hoping to cut down traffic across the network since the new
> > servers are in the EU and the old ones are in the US.  Are there any
> > tips/instructions on doing something like this if its even possible?
> >
> > # firewall-cmd --zone=public --list-all
> > public (active)
> >   target: default
> >   icmp-block-inversion: no
> >   interfaces: ens224
> >   sources:
> >   services: dns http https kerberos kpasswd ldap ldaps ntp snmp ssh
>
> I don't see 8080 in that list. That is the port that find uses.
>
> rob
>
>


-- 
John Bowman
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to