Thanks for the help, appreciate another set of eyes on this. Was hoping it would be something simple between the systems. To that end I've turned off all local firewalls on the primary and replica as well as ensuring that required ports are open when it is on. I've also ensured that the inter-vlan firewall has rules allowing all traffic to flow in both directions between primary and replica.
example.com is a sanitized domain as you picked up on. Here are the nmap -v results replica to primary [root@replica ~]# nmap -v primary Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-28 23:18 CST Initiating Ping Scan at 23:18 Scanning primary (192.168.0.21) [4 ports] Completed Ping Scan at 23:18, 0.07s elapsed (1 total hosts) Initiating SYN Stealth Scan at 23:18 Scanning primary (192.168.0.21) [1000 ports] Discovered open port 53/tcp on 192.168.0.21 Discovered open port 22/tcp on 192.168.0.21 Discovered open port 443/tcp on 192.168.0.21 Discovered open port 139/tcp on 192.168.0.21 Discovered open port 8080/tcp on 192.168.0.21 Discovered open port 80/tcp on 192.168.0.21 Discovered open port 445/tcp on 192.168.0.21 Discovered open port 135/tcp on 192.168.0.21 Discovered open port 49152/tcp on 192.168.0.21 Discovered open port 9090/tcp on 192.168.0.21 Discovered open port 749/tcp on 192.168.0.21 Discovered open port 8443/tcp on 192.168.0.21 Discovered open port 389/tcp on 192.168.0.21 Discovered open port 636/tcp on 192.168.0.21 Discovered open port 464/tcp on 192.168.0.21 Discovered open port 88/tcp on 192.168.0.21 Completed SYN Stealth Scan at 23:18, 0.69s elapsed (192.168.total ports) Nmap scan report for primary (192.168.0.21) Host is up (0.044s latency). rDNS record for 192.168.0.21: primary.example.com Not shown: 984 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 443/tcp open https 445/tcp open microsoft-ds 464/tcp open kpasswd5 636/tcp open ldapssl 749/tcp open kerberos-adm 8080/tcp open http-proxy 8443/tcp open https-alt 9090/tcp open zeus-admin 49152/tcp open unknown Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.83 seconds Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.092KB) primary to replica [root@primary ~]# nmap -v replica Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-28 23:21 CST Initiating Ping Scan at 23:21 Scanning 192.168.10.9 [4 ports] Completed Ping Scan at 23:21, 0.05s elapsed (1 total hosts) Initiating SYN Stealth Scan at 23:21 Scanning replica.example.com (192.168.10.9) [1000 ports] Discovered open port 22/tcp on 192.168.10.9 Discovered open port 443/tcp on 192.168.10.9 Discovered open port 80/tcp on 192.168.10.9 Discovered open port 389/tcp on 192.168.10.9 Discovered open port 9090/tcp on 192.168.10.9 Discovered open port 88/tcp on 192.168.10.9 Discovered open port 636/tcp on 192.168.10.9 Discovered open port 464/tcp on 192.168.10.9 Completed SYN Stealth Scan at 23:22, 4.86s elapsed (1000 total ports) Nmap scan report for replica.examplenslooku.com (192.168.10.9) Host is up (0.040s latency). Not shown: 991 filtered ports PORT STATE SERVICE 22/tcp open ssh 53/tcp closed domain 80/tcp open http 88/tcp open kerberos-sec 389/tcp open ldap 443/tcp open https 464/tcp open kpasswd5 636/tcp open ldapssl 9090/tcp open zeus-admin Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 4.98 seconds Raw packets sent: 1986 (87.360KB) | Rcvd: 20 (1.156KB) Re: No communication, what's baffling is that I can see the replication start up on both ends in the dirsrv logs. Also the initial sync runs and completes. Re: DNS, I point the replica to the primary for DNS resolution during the replica install. I also have entries in the hosts files on the replica and primary for the shortname and fqdn of both the replica and primary. I do have other DNS servers that are mirrors of the primary IPA DNS. Re: --uninstall, that is performed as well as a reboot after each ipa-client-install, ipa-replica-install and ipa-server-install --uninstall for good measure. I do run a split domain, I know the evils of that, but it's necessary for my clients to work while migrating in and out of the internal networks. I've verified that is working as expected as well. The dirsrv logs do show a replication issue around number of entries per time, assume that's a throttling mechanism. Also have a dangling replication agreement that I can not get rid off for another replica. Other than that, I don't see anything unusual in the logs for ldap. But I'm no expert, so if a santized version of those would help, let me know. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
