Troubleshooting High Availability polling health

[support]

If using the High Availability module in Passwordstate, this will mean you have two webservers hosting two Passwordstate websites, and most likely you'll have two SQL databases replicating data in real time.  You will find the names and roles of your servers under Administration -> Authorized Web Servers, as per below screenshot:

 

 

If the Polling Health is a visual reference that both servers are in sync, so if it is red in colour this could mean there is an issue you need to address.  The mechanics of how the polling process works depend on if you have yoru HA web server set to run in Passive mode (server is in Read Only mode), or Active (Server is in Read/Write mode).

 

Please note, you should always have one server on this page that has the Primary Server role assigned. This is very important as it will ensure the Passwordstate Windows Service is fully functional and processes a number of different tasks in the background.

 

To troubleshoot why the polling health icons are red, please check the following:

 

Passive Mode:

If your HA server is set to Passive, the the Passwordstate service on the secondary server will make a call on a regular schedule to the primary site API.  If it can contact it, it will show a successful green icon.

 

Things to check:

• When logged into to your Primary Passwordstate site, check the URL under Administration -> System Settings -> Miscellaneous is correct.
• Ensure the Passwordstate Service on the secondary web server is running
• From your Secondary server, perform a Powershell open port test back to your primary website to ensure no firewalls are blocking access.  Example is test-netconnection passwordstate.com.au -port 443
• From your secondary server, try browsing to the poll test URL by appending /api/highavailability/primarypoll/polltest to your normal Passwordstate URL.  If this works, you will see a Success:True message in the body of the website.  If you do not see this, please investigate if you have load balancers or proxy servers that are blocking this API call, and possibly bypass these devices as a quick test to rule them out.
• Look in the Application Event logs for any errors, and if you find any, but can't work out what they are, submit them to Click Studios support for review (support@clickstudios.com.au)

 

Active Mode:

If running your HA server in Active mode, instead of making a call to the API it will insert the date, time and build number directly to the secondary database, and then when replication occurs back to the primary database this will be displayed as a healthy green polling status in the both of your Passwordstate websites.

 

Things to check:

• Passwordstate service on the secondary web server is running
• Database replication is working (try adding a test password record into the system and then log into the second website to see if that password record is visible there - this should be almost instant if SQL replication is working)
• Look in the Application Event logs for any errors, and if you find any, but can't work out what they are, submit them to Click Studios support for review (support@clickstudios.com.au)

 

**TIP**

Another quick way to check replication is working correctly is to do a count of auditing events against both databases.  This SQL query below should be run against both database servers, and they will and they will be exactly the same if replication is working correctly.

 

Use Passwordstate

Select count(*) from auditing

 

 

Regards,

Support:)

 

[Mike Powell]

We have just finished setting up Active/Passive HA, where both sites are hosted on-premise but the primary site is using Azure App Proxy for MFA-protected access from the internet. However the API call from the secondary site is not able to navigate the app proxy and fails. Is there any way to provide an internal-only URL for the secondary site to use when reporting back to the primary site?

[support]

Hello Mike,

The only way this would be possible would be to add anothr binding in IIS, and then modify the Base URL field on the screen Administration -> System Settings -> Miscellaneous tab.

By changing the Base URL though, this will be used in different areas of our software i.e. links in emails, when running reports which talk to the API, etc. So this might not be ideal.

 

If you can use an Active/Active setup for SQL and Passwordstate, then this polling does not need to communicate to the API. You can have an active/active using either SQL Basic Availability Groups, Always On Availability Groups, or SQL Clustering.

Regards

Click Studios