Avamar：备份因 DNS 查询占用太长时间而失败 - avtar 致命 <8941>：Fatal server connection problem, aborting initialization.验证正确的服务器地址和登录凭据。

avtar FATAL <8941>: Fatal server connection problem, aborting initialization. Verify correct server address and login credentials.
avtar Info <5694>: - Failed initial handshake, trying again
avtar Info <5562>: - - Connect: Trying 10.xx.xx.xx:29000
Adding log debugging we can see the extra bit of information in the log:

[avtar]  sslcertificate::verify_certificate_ip CN Name='Avamar Server RSA TLS'
    [avtar]  sslcertificate::verify_cnname Performing CN Name validation for Avamar Server RSA TLS
    [avtar]  uwrapper::gethostbyaddr DnsQuery(dns)  returned (9002) for 10.xx.xx.xx
    [avtar]  sslcertificate::verify_certificate_ip CN Name='<avamar-server-fqdn>'
    [avtar]  sslcertificate::verify_cnname Performing CN Name validation for <avamar-server-fqdn>
    [avtar]  uwrapper::gethostbyaddr DnsQuery(dns)  returned (9002) for 10.xx.xx.xx
    [avtar]  sslcertificate::verify_certificate_ip CN Name field did not match Hostname - Checking SA Names
    [avtar]  sslcertificate::verify_certificate_ip rawIPAddrLen = 4
    [avtar]  sslcertificate::verify_certificate_ip Comparing 10.xx.xx.xx with 10.xx.xx.xx
    [avtar]  sslcertificate::verify_certificate_ip Certificate successfully verified
    [avtar]  <-- SSL
    [avtar]  <-- TLS 1.2 Handshake, ServerHelloDone
    [avtar]  --> SSL
    [avtar]  --> TLS 1.2 Handshake, ClientKeyExchange
    [avtar]  --> SSL
    [avtar]  --> TLS 1.2 ChangeCipherSpec
    [avtar]  --> SSL
    [avtar]  --> TLS 1.2 Handshake, Finished
>[avtar]  sslsockimpl::open  connect failure  (setrslt 1)  (conrslt 0)
>[avtar]  Printing ssl error stack
    [avtar]  certlock::~certlock() success to remove SSL cert lock 'C:\Program Files\avs\etc\.tmp\.certlock'
    [avtar]  sslsockimpl::save_server_cert saving cert='C:\Program Files\avs\etc\servercert.pem'
    [avtar]  sslsockimpl::save_server_cert cipher='AES256-SHA'
>[avtar]  sslsockimpl::open  failure
> avtar Info <5694>: - Failed initial handshake, trying again
For the troubleshooting purpose we checked and confirmed that the TCP ports 28001, 28002, 27000 and 29000 were all open and within the correct TCP directions as per Avamar security guide, ping and DNS resolution were also working fine.

2019/03/05-10:22:41.39299 [avtar]  sslcertificate::verify_cnname Performing CN Name validation for Avamar Server RSA TLS
2019/03/05-10:22:53.30100 [avtar]  uwrapper::gethostbyaddr DnsQuery(dns)  returned (9002) for 10.xx.xx.xx
And the entire handshake process would require about 50 seconds to complete and fail:

2019/03/05-10:22:14.89800 [avtar]  sslsockimpl::open  initclient success
....
2019/03/05-10:23:05.41599 [avtar]  sslsockimpl::open  failure

For comparison here is an example from a working client where we see that the the "DnsQuery" is returned in less than 1 second:

2019/03/05-11:56:06.97600 [avtar]  sslcertificate::verify_cnname Performing CN Name validation for <avamar-server-fqdn>
2019/03/05-11:56:07.79600 [avtar]  uwrapper::gethostbyaddr DnsQuery(dns)  returned (9002) for 10.xx.xx.xx
And the entire handshake process would complete in about 13 seconds:

2019/03/05-11:55:54.12400 [avtar]  sslsockimpl::open  initclient success
...
2019/03/05-11:56:07.82899 [avtar]  sslsockimpl::open  initclient success, cipher: AES256-SHA
In a summary, the root cause is identified as DnsQuery spent too much time on the affected client machines.