Error "Network connect timeout error" on the login page

This document (000020939) is provided subject to the disclaimer at the end of this document.

Situation

Attempting to login results in the error "Network connect timeout error".

loginerr.png

Resolution

The NeuVector Manager pod communicates with the Controllers via a cluster DNS hostname "neuvector-svc-controller.neuvector".  This is defined as a container variable bolded in Manager manifest below.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: neuvector-manager-pod
  namespace: neuvector
spec:
  selector:
    matchLabels:
      app: neuvector-manager-pod
  replicas: 1
  template:
    metadata:
      labels:
        app: neuvector-manager-pod
    spec:
      imagePullSecrets:
        - name: regsecret
      containers:
        - name: neuvector-manager-pod
          image: neuvector/manager:<version>
          env:
            - name: CTRL_SERVER_IP
              value: neuvector-svc-controller.neuvector
      restartPolicy: Always
Various conditions can result in this error.
  • Cluster DNS resolution not working
  • Controller pods not running/stable
  • Network issues between Manager and Controllers

Manager will report errors in the pod log.

|MANAGER|com.neu.api.AuthenticationService(apply:289): Connection attempt to neuvector-svc-controller.neuvector:10443 failed

Troubleshooting

Below steps can help narrow root cause.

1. Ensure the Controller pod are running

❯ kubectl get pods -n neuvector
NAME READY STATUS RESTARTS AGE
neuvector-controller-pod-66949c699b-8xkkn 1/1 Running 0 13h
...

2. Ensure the Controller headless service is up

❯ kubectl get svc -n neuvector
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
...
neuvector-svc-controller ClusterIP None <none> 18300/TCP,18301/TCP,18301/UDP 19h

3. Check and see if controller service is accessible using wget on the Manager pod

❯ kubectl get pods -n neuvector
NAME                                        READY   STATUS      RESTARTS   AGE
...
neuvector-manager-pod-689d8b58d4-6dpjq      1/1     Running     0          57m
...

❯ kubectl exec -it neuvector-manager-pod-689d8b58d4-6dpjq -- sh
/ $ wget --no-check-certificate https://neuvector-svc-controller.neuvector:10443/v1/eula
Connecting to neuvector-svc-controller.neuvector:10443 (192.168.142.205:10443)
wget: server returned error: HTTP/1.1 401 Unauthorized

The above indicates the manager container is able to connect to the controller using the cluster DNS name and solicit an authentication error response.  If Cluster DNS is not working, you may get the following results.

> kubectl exec -it neuvector-manager-pod-76fdf78cbf-295xc -- sh
/ $ wget --no-check-certificate https://neuvector-svc-controller.neuvector:10443/v1/eula
wget: bad address 'neuvector-svc-controller.neuvector:10443'

Please get in touch with SUSE NeuVector Support f further assistance is needed.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020939
  • Creation Date: 18-Jan-2023
  • Modified Date:18-Jan-2023
    • SUSE NeuVector

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center