Environment
NetIQ eDirectory
Novell eDirectory 8.8.x for Windows
Novell eDirectory 8.8.x for Windows
Situation
The problem occurs when browsing an object or container in one server and then clicking on another server to see the information from the perspective of the other server (this is called proxy mode in iMonitor).
The request will fail with an error -340, Transport error.
The request will fail with an error -340, Transport error.
Resolution
This error is a generic error and can be caused with a problem with the certificates.
When running eDirectory on Windows, if the remote server that needs to be accessed is configured in such a way that the UDP referral is returned before the TCP referral, this error will be returned. Looking at an NCP trace it's possible to see that iMonitor attempts to perform a TLS handshake over UDP and fails (TLS only works over TCP). If this is the problem, launch NDS Console and check the transports tab, expand the NCP | Bound Transports entry. If the first protocol listed is UDP, then this server has UDP configured as default protocol.
Another way to determine if this is the cause of the problem is to look at the URL used by iMonitor. If the URL has a field like &ref=/UDP'=<IP address> before the corresponding for TCP, then the problem will occur. You can temporarily carry on navigating with iMonitor by swapping the &ref field and putting the TCP first.
Once the -340 error has occurred, it's normal to see that the server is marked as Down and requests going to the server will fail. The error will be reported in synchronization and other communication tasks that need to go to the remote server will fail. Once in this condition, the server doesn't seem to recover until the dhost process gets restarted.
In order to fix the problem, check for the existence of a transact.acs or config.acs in your Dibfiles directory. Stop the eDirectory service and then edit one of the files. If both files are present, edit config.acs.
There should be a section that looks like this:
[NCP Engine/Transports/Enum] = 0x00000002
[NCP Engine/Transports/Enum/000] = {0x00 0x00 0x00 0x06 0x00 0x02 0x0c 0x02 0x01 0x02 0x03 0x0a}
[NCP Engine/Transports/Enum/001] = {0x00 0x00 0x00 0x11 0x00 0x02 0x0c 0x02 0x01 0x02 0x0a30x0a}
This section represents the UDP addressed (0x06 as the 5th byte) and TCP address (0x11 as the 5th byte). Make sure that the address with 0x11 in the 5th byte is the first one in the list by swapping the lines with a text editor.
When running eDirectory on Windows, if the remote server that needs to be accessed is configured in such a way that the UDP referral is returned before the TCP referral, this error will be returned. Looking at an NCP trace it's possible to see that iMonitor attempts to perform a TLS handshake over UDP and fails (TLS only works over TCP). If this is the problem, launch NDS Console and check the transports tab, expand the NCP | Bound Transports entry. If the first protocol listed is UDP, then this server has UDP configured as default protocol.
Another way to determine if this is the cause of the problem is to look at the URL used by iMonitor. If the URL has a field like &ref=/UDP'=<IP address> before the corresponding for TCP, then the problem will occur. You can temporarily carry on navigating with iMonitor by swapping the &ref field and putting the TCP first.
Once the -340 error has occurred, it's normal to see that the server is marked as Down and requests going to the server will fail. The error will be reported in synchronization and other communication tasks that need to go to the remote server will fail. Once in this condition, the server doesn't seem to recover until the dhost process gets restarted.
In order to fix the problem, check for the existence of a transact.acs or config.acs in your Dibfiles directory. Stop the eDirectory service and then edit one of the files. If both files are present, edit config.acs.
There should be a section that looks like this:
[NCP Engine/Transports/Enum] = 0x00000002
[NCP Engine/Transports/Enum/000] = {0x00 0x00 0x00 0x06 0x00 0x02 0x0c 0x02 0x01 0x02 0x03 0x0a}
[NCP Engine/Transports/Enum/001] = {0x00 0x00 0x00 0x11 0x00 0x02 0x0c 0x02 0x01 0x02 0x0a30x0a}
This section represents the UDP addressed (0x06 as the 5th byte) and TCP address (0x11 as the 5th byte). Make sure that the address with 0x11 in the 5th byte is the first one in the list by swapping the lines with a text editor.