During session upgrade, One Identity Safeguard for Privileged Sessions might fail to upgrade some sessions.
The following error messages appear among the system logs:
paa-metadb-to-events-run[21702]: DEBUG c.b.pam.metadb2events.ConversionTaskScheduler$ worker--1832520: failed to process task; connectionChannelId=18947396; sessionId=svc/5EP4TqX9H4pXimfYiAcTn8/zzz:1234; reason=Expected fields: sessionId=svc/5EP4TqX9H4pXimfYiAcTn8/zzz:1234, protocol=cgp, connectionName=zzz, connectionPolicyId=Some(118573821756d58eb7a1994), legacySessionId=svc/5EP4TqX9H4pXimfYiAcTn8/zzz:1234, Actual fields: sessionId=svc/5EP4TqX9H4pXimfYiAcTn8/zzz:1234, protocol=ica, connectionName=zzz, connectionPolicyId=Some(118573821756d58eb7a1994), legacySessionId=svc/5EP4TqX9H4pXimfYiAcTn8/zzz:1234
Note that this issue might be caused by several issues. This article is about an issue that is related to importing old ICA (CGP) sessions, and how to work around this problem. If you didn't use ICA protocol previously, you might be affected by some other issue, in which case please contact One Identity Support.
The problem is twofold:
A workaround for this problem is to rewrite the invalid session metadata and retry the session import.
Please log in to the core shell of the appliance and issue the following commands:
echo "UPDATE channels as c SET protocol = 'ica' FROM metadb2events_tasks AS m WHERE c._connection_channel_id=m.connection_channel_id AND c.protocol = 'cgp' AND m.migration_status = 'failed';" | psql -U scb scb
echo "UPDATE metadb2events_tasks SET migration_status = 'waiting' WHERE migration_status = 'failed';" | psql -U scb scb
systemctl restart metadb-to-events.service
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center