Policy Management Errors

Explains the main Policy management connection errors, permission restrictions, policy creation, and deployment problems users may encounter while working with Policy management in ESA.

Nodes Connectivity Status of the nodes is displayed as Error under Policy Management > Data Stores in ESA Web UI

Issue : In a multi-site ESA configuration, if the protectors are at or below v9.1.0.0, then the Node Connectivity Status on the Primary site ESAs might display Error status. This behavior is observed for all the protector nodes after performing failover and fail back operations between Primary and the Disaster Recovery sites.

Description : This may occur because the PEP server attempts to send status using a Node ID which is not present in the ESA’s repository. This repository is responsible for maintaining the status of all the registered pep server nodes.

Additionally, the following warning log in PEP server logs appears
(WARNING) Failed to send node status: The requested URL was not found on the server
To access PEP server logs, navigate to Discover, by logging into the ESA and navigating to Audit Store > Dashboard > Open in new tab, select Discover from the menu and select a time period.

Workaround : Perform the following steps to reset the node’s status to Green ("OK").

  1. Log in to ESA Web UI of the Primary ESA.
  2. Navigate to Policy Management > Data Stores
  3. Select nodes showing status as Red ("Error") and click on delete button to remove entry.

If there are many PEP server nodes registered, ensure to delete the nodes in a batch of 200. After deleting the registered nodes successfully, the PEP server nodes are re-registered with ESA and status updates to Green ("OK").

The following section provides information about the resultant errors when trying to fetch the members from a member source.

Error/Problem

This may happen because…

Recovery

When working with the member source on the ESA Web UI, a connection timeout error is observed while fetching the members or syncing a group in a role. If you get a connection timeout error, then check the hubcontroller.log and the mbs.log files to check for error messages.

  • HubController log - "Failed to synchronize 'auto_role' member 'MBSTest50001-100000' [Caused by: PIM MBS returned error: Failed to send request to upstream PIM MBS service: The timeout period of 30000ms has been exceeded while executing POST /api/v1/members for server localhost:25800]", "POST /dps/v1/management/roles/60/members/sync | 500 | 127.0.0.1 | admin | 30sec | 1 of 1 members could not be synchronized"
  • Member Source Service log - "Failed to query group members | causedBy=Get "https://graph.microsoft.com/v1.0/groups/tran sitiveMembers?": net/http: request canceled (Client.Timeout exceeded while awaiting headers)"
  • Web UI error message - Failed to synchronize member. 1 of 1 members could not be synchronized.

The timeout period exceeds the default values specified for the following parameters:

  • PTY_ROLE_MBS_REQUEST_TIMEOUT
  • PTY_MEMBERSOURCESERVER_REQUEST_TIMEOUT
  • PTY_MANAGEMENT_MBS_REQUEST_TIMEOUT

Perform the following steps to fix the timeout error.

  1. To check the error message in the mbs.log and the hubcontroller.log files, on the CLI Manager, navigate to Administration > OS Console.
  2. If the error is related to connection or request timeout, then add the following parameters in the hubcontroller.env file with the required timespan:
    • PTY_ROLE_MBS_REQUEST_TIMEOUT=<timespan>
    • PTY_MEMBERSOURCESERVER_REQUEST_TIMEOUT=<timespan>
    • PTY_MANAGEMENT_MBS_REQUEST_TIMEOUT=<timespan>
  3. Login to the ESA Web UI.
  4. Navigate to System > Services.
  5. Restart the HubController service.

When working with the member source using the DevOps API, a connection timeout error is observed in the DevOps API while fetching members or syncing a group in a role. If you get a connection timeout error, then check the devops.log file to check for the error message.

DevOps log - "GET /api/v2/sources/11/members | 500 | 127.0.0.1 | admin | 30sec | com.protegrity.framework.exception.DpsException: PIM MBS returned error [Caused by: PIM MBS returned error: Failed to send request to upstream PIM MBS service: The timeout period of 30000ms has been exceeded while executing POST /api/v1/members f or server localhost:25800]"

The timeout period exceeds the default values specified for the following parameters:

  • PTY_ROLE_MBS_REQUEST_TIMEOUT
  • PTY_MEMBERSOURCESERVER_REQUEST_TIMEOUT
  • PTY_MANAGEMENT_MBS_REQUEST_TIMEOUT
  • PTY_HUBCONTROLLER_REQUEST_TIMEOUT

Perform the following steps to fix the timeout error:

  1. To check the error message in the devops.log, mbs.log, and the hubcontroller.log files, on the CLI Manager, navigate to Administration > OS Console.
  2. Add the following parameters in the hubcontroller.env file and add the required timespan:
    • PTY_ROLE_MBS_REQUEST_TIMEOUT=<timespan>
    • PTY_MEMBERSOURCESERVER_REQUEST_TIMEOUT=<timespan>
    • PTY_MANAGEMENT_MBS_REQUEST_TIMEOUT=<timespan>
  3. Add the parameter PTY_HUBCONTROLLER_REQUEST_TIMEOUT=<timespan> in the devops.env file and add the required timespan:
  4. Login to the ESA Web UI.
  5. Navigate to System > Services.
  6. Restart the HubController and the DevOps services.

Last modified : October 31, 2025