Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Deleted Web Messenger Emails Reappear in Portal

Created: 08 Jan 2014 | 7 comments

We have a new installation of Symantec Encryption Servers, version 3.3.0, build 8741. Two servers are internal, two are Web Messenger servers in our DMZ and load balanced. One of our external recipients has been reporting that she deletes emails in the portal and when she logs back in at a later date those deleted emails have reappeared. The emails are being sent to a shared external address but it is my belief that only one person is logging into this portal account. The emails are normally sent with exactly the same subject line, and they reappear with the original sent date and time. I managed to recreate this issue in my own portal account one time, but since then have failed. I know very little about this system as it was kind of dumped on me. Any suggestions would be appreciated.

Operating Systems:

Comments 7 CommentsJump to latest comment

Alex_CST's picture

What is the sync interval on the 2 DMZ machines?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

outlookdude's picture

I have found references to a directory synchronization interval, but still haven't found that setting. However that seems to be related to a sync with active directory and user accounts. I wouldn't expect that to be related to web messenger data.

 

I've been looking for a cluster sync interval but haven't found anything.

 

How would I check that?

 

These two servers are clustered. They are accessed by external users through a public DNS round robin. Is that appropriate?

Alex_CST's picture

If your 2 DMZ servers aren't syncing correctly, one of them could have a different version of emails than the other one.  That explains why you were able to repeat the issue, but not consistently.  Especially with DNS round robin.  

 

Take a look at the requirements for cluster members, there's quite a few:

http://www.symantec.com/docs/TECH157115

 

To test the problem, log into each webmessenger portal individually (replace hostname with IP of each DMZ server) and see if you can use that technique to further whittle down the problem.

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

outlookdude's picture

I believe we meet all of those requirements.

 

 

We have a web messenger server named “ABC” and another named “XYZ”. Both names resolve appropriately through DNS to the correct IP addresses, and communicate appropriately on the required ports. The round robin “DEF” points to both of those IP addresses and is the publicly advertised address for external users\recipients.

 

 

What I have found is that if I look at replication status on server ABC, for server ABC, I see Consumer Data equals 3769, and Web Email Protection equals 451. If I look at replication status on server XYZ, for server ABC, Consumer Data equals 5868 and Web Email Protection equals 451. I’m not sure what the Consumer Data difference means, or if that is related to this issue. But, if I check the status of server XYZ it is the same when checked from either location, (7131).

 

 

Things that I think are unrelated….When I look at cluster logging I see some warnings, but no errors……I see this warning on server ABC server times per day…

 

 

Can't send response -- stripped keys cannot pass from restricted server to normal

 

 

Around the time this was first reported, (but not necessarily when it started – I have no way to know at this point), I see a number of warnings like the following on server XYZ…

 

 

Exception 23503 writing subkey 4c7c7119-7ea7-4ebe-b579-2bc05babe713

 

 

Exception 23503 writing key_user_id bc01bf99-7108-4649-802f-e7096bc27a08

 

 

Exception 23503 writing key_signer fd62ffa5-9bc1-4dbf-a63a-f7123e3a0805

 

 

Exception 23503 writing mak 78a9b278-f3b6-4fee-8ee9-8c3780afb3f3

 

 

Exception 23503 writing boomerang_mail_recipient d3797760-251b-49f4-82ca-39984c0d8e3c

 

 

And recently every few days something like this…..

 

 

SCAN: error handling boomerang_mail_recipient f09691ee-b401-406b-bf5f-d9d9840563c2 EXCEPTION STACK TRACE: org.postgresql.util.PSQLException: ERROR: insert or update on table "boomerang_mail_recipient" violates foreign key constraint "boomerang_mail_recipient_mail_uuid_fkey" Detail: Key (mail_uuid)=(2885c0f7-c630-4ffd-8f6b-8aa6f92c14f2) is not present in table "boomerang_mail". at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2102) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1835) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257) at org.postgresql.jdbc2.AbstractJdbc2Connection.executeTransactionCommand(AbstractJdbc2Connection.java:685) at org.postgresql.jdbc2.AbstractJdbc2Connection.commit(AbstractJdbc2Connection.java:709) at sun.reflect.GeneratedMethodAccessor11.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.postgresql.ds.jdbc23.AbstractJdbc23PooledConnection$ConnectionHandler.invoke(AbstractJdbc23PooledConnection.java:352) at $Proxy0.commit(Unknown Source) at com.pgp.ovid.rep.daemon.ChangeCache.handleDataResponse(ChangeCache.java:1042) at com.pgp.ovid.rep.daemon.RepWorker.handleDataResponse(RepWorker.java:898) at com.pgp.ovid.rep.daemon.RepWorker.run(RepWorker.java:365)

 

 

I suspect that a lot of that is completely unrelated. But, I include it because I really don’t know what it does mean.

 

 

Thanks again for the assistance.

dcats's picture

Hi outlookdude,

This means that the cluster is not able to handle some Web Messenger data (boomerang) and that's very likely the reason of the deleted emails appearing again and again.
Please contact the technical support, because it is very likely to be needed an intervention on the database.

Also ensure that the DNS round robin you mention is not against the point 16. of TECH157115.

Rgs,
dcats

outlookdude's picture

Thanks.

 

There is no load balancer involved so I don't think that point 16 should be the issue. I did say "load balanced" in my first post. Poor choice of words on my part. We configured them as clustered in the Symantec Encryption Server management console, and they have DNS round robin entries.

 

I'll open a case with tech support.

dcats's picture

Hi outlookdude,

The DNS round robin acts like a load balancer and may conflict with the Name Resolution Requirements for the Cluster.

Additional reference: HOW TO: Ensure High Availability in a PGP Universal Server Cluster - TECH193552.

Rgs,
dcats