Hmm. Those are open enough to work but I didn't verify against the official open port list (memory is coffee dependent).
There was still that install error and that is the primary suspect.
Next step: uninstall replica and main. Remove the log files. Remove the rpms for freeipa and all required dependents. Run rpm -Va and analyze the output for bad binaries of everything else. Check for a flakey hard drive or other network issues.
Reinstall. At each step, do a log analysis and resolve all errors before continuing. Pay careful attention to the startup process of the CA server components.

On December 29, 2021 12:52:45 AM EST, Chris Roadfeldt via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Thanks for the help, appreciate another set of eyes on this.

Was hoping it would be something simple between the systems. To that end I've turned off all local firewalls on the primary and replica as well as ensuring that required ports are open when it is on. I've also ensured that the inter-vlan firewall has rules allowing all traffic to flow in both directions between primary and replica.

example.com is a sanitized domain as you picked up on.

Here are the nmap -v results

replica to primary

[root@replica ~]# nmap -v primary
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-28 23:18 CST
Initiating Ping Scan at 23:18
Scanning primary (192.168.0.21) [4 ports]
Completed Ping Scan at 23:18, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:18
Scanning primary (192.168.0.21) [1000 ports]
Discovered open port 53/tcp on 192.168.0.21
Discovered open port 22/tcp on 192.168.0.21
Discovered open port 443/tcp on 192.168.0.21
Discovered open port 139/tcp on 192.168.0.21
Discovered open port 8080/tcp on 192.168.0.21
Discovered open port 80/tcp on 192.168.0.21
Discovered open port 445/tcp on 192.168.0.21
Discovered open port 135/tcp on 192.168.0.21
Discovered open port 49152/tcp on 192.168.0.21
Discovered open port 9090/tcp on 192.168.0.21
Discovered open port 749/tcp on 192.168.0.21
Discovered open port 8443/tcp on 192.168.0.21
Discovered open port 389/tcp on 192.168.0.21
Discovered open port 636/tcp on 192.168.0.21
Discovered open port 464/tcp on 192.168.0.21
Discovered open port 88/tcp on 192.168.0.21
Completed SYN Stealth Scan at 23:18, 0.69s elapsed (192.168.total ports)
Nmap scan report for primary (192.168.0.21)
Host is up (0.044s latency).
rDNS record for 192.168.0.21: primary.example.com
Not shown: 984 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
636/tcp   open  ldapssl
749/tcp   open  kerberos-adm
8080/tcp  open  http-proxy
8443/tcp  open  https-alt
9090/tcp  open  zeus-admin
49152/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.83 seconds
           Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.092KB)


primary to replica

[root@primary ~]# nmap -v replica
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-28 23:21 CST
Initiating Ping Scan at 23:21
Scanning 192.168.10.9 [4 ports]
Completed Ping Scan at 23:21, 0.05s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:21
Scanning replica.example.com (192.168.10.9) [1000 ports]
Discovered open port 22/tcp on 192.168.10.9
Discovered open port 443/tcp on 192.168.10.9
Discovered open port 80/tcp on 192.168.10.9
Discovered open port 389/tcp on 192.168.10.9
Discovered open port 9090/tcp on 192.168.10.9
Discovered open port 88/tcp on 192.168.10.9
Discovered open port 636/tcp on 192.168.10.9
Discovered open port 464/tcp on 192.168.10.9
Completed SYN Stealth Scan at 23:22, 4.86s elapsed (1000 total ports)
Nmap scan report for replica.examplenslooku.com (192.168.10.9)
Host is up (0.040s latency).
Not shown: 991 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
53/tcp   closed domain
80/tcp   open   http
88/tcp   open   kerberos-sec
389/tcp  open   ldap
443/tcp  open   https
464/tcp  open   kpasswd5
636/tcp  open   ldapssl
9090/tcp open   zeus-admin

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.98 seconds
           Raw packets sent: 1986 (87.360KB) | Rcvd: 20 (1.156KB)


Re: No communication, what's baffling is that I can see the replication start up on both ends in the dirsrv logs. Also the initial sync runs and completes.

Re: DNS, I point the replica to the primary for DNS resolution during the replica install. I also have entries in the hosts files on the replica and primary for the shortname and fqdn of both the replica and primary. I do have other DNS servers that are mirrors of the primary IPA DNS.

Re: --uninstall, that is performed as well as a reboot after each ipa-client-install, ipa-replica-install and ipa-server-install --uninstall for good measure.

I do run a split domain, I know the evils of that, but it's necessary for my clients to work while migrating in and out of the internal networks. I've verified that is working as expected as well.

The dirsrv logs do show a replication issue around number of entries per time, assume that's a throttling mechanism. Also have a dangling replication agreement that I can not get rid off for another replica. Other than that, I don't see anything unusual in the logs for ldap. But I'm no expert, so if a santized version of those would help, let me know.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Computers amplify human error
Super computers are really cool