<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none"></style> </head> <body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> Since the rpm update to ipa-server-dns-4.2.0-15.0.1.el7.centos.18.x86_64 (running on Centos 7), most of my replication started to failed with: last update status: -1 Incremental update has failed and requires administrator actionLDAP error: Can't contact LDAP server Then setup contains about 10 ipa servers in 5 different locations. But i went and ran an ipa-replica-conncheck i get this: # ipa-replica-conncheck --replica server.domain.local Check connection from master to remote replica 'server.domain.local': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder. Connection from master to replica is OK. I even ran the following without issue: <dl><dd><tt># kinit -kt /etc/dirsrv/ds.keytab ldap/`hostname`</tt></dd><dd><tt># klist</tt></dd><dd><tt># ldapsearch -Y GSSAPI -h `hostname` -b "" -s base</tt></dd><dd><tt># ldapsearch -Y GSSAPI -h the.other.master.fqdn -b "" -s base</tt></dd></dl> Not really sure what to check for next? Any hint? Thanks Louis Francoeur <div id="Signature"> <div name="divtagdefaultwrapper" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:; margin:0"> <div name="divtagdefaultwrapper" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:; margin:0"> <style type="text/css" style="display:none">  </style></div> </div> </div> </body> </html>