Generic Kafka consumer element unable to connect to brokers on one DMA agent and works on another

139 viewskafka
0
3 Comments

Hi everyone,

I’m testing the Kafka Consumer protocol (Generic Kafka Consumer) across two DataMiner agents with identical configuration parameters, both meant to consume messages from an AWS MSK (Kafka) cluster and store the consumed JSON data in a local directory.

However, I’m facing a strange issue:

  • On DMA #1, the consumer connects to the Kafka brokers successfully, consumes messages, and writes the JSON files as expected.

  • On DMA #2, with the same configuration, it continuously logs:

    [<span class="hljs-symbol">thrd:main</span>]: <span class="hljs-link">Cluster connection already in progress: coordinator query </span>
    [<span class="hljs-symbol">thrd:main</span>]: <span class="hljs-link">Not selecting any broker for cluster connection: still suppressed: no cluster connection </span>
    Error: sasl<span class="hljs-emphasis">_ssl://b-1.kafkaqa...:9096/bootstrap: Connect to ipv4#10.xxx.xxx.xxx:9096 failed: Unknown error (after 21043ms in state CONNECT)
    </span>

    It never reaches a connected state or produces any JSON output file.

We checked the basics:

  • The IP resolves fine — we can ping the broker IPs directly from the DMA’s command prompt.

  • Both DMAs are using SASL/SCRAM over SSL on port 9096.

  • The same credentials and topic are used, and both brokers are accessible via AWS MSK from other tools (like Lambda).

  • Both elements point to the same dataminer-protocol-feature-tests topic, same directory structure for file output, and identical protocol parameters.

What I’d like to understand

  1. Is there any additional TCP or SSL requirement for Kafka connections beyond ICMP reachability (ping)?

  2. Could there be a local Windows or SSL store dependency that’s missing or outdated on the non-working DMA?

  3. Are there specific librdkafka configuration options or certificates that must be present per hosting agent for SASL_SSL connections to succeed?

  4. Is there a recommended diagnostic log level or Kafka debug flag within the protocol to trace SSL/TLS handshake issues?

Environment summary

  • Kafka cluster: AWS MSK (SASL/SCRAM-SHA-512, SSL, port 9096)

  • Protocol: Generic Kafka Consumer / Custom Skyline Kafka Consumer

  • DM version: (add your version, e.g. 10.4.0.0)

  • Hosting: Two DMAs (same version), different Windows hosts

  • Behavior: Works perfectly on one DMA; fails to connect on another

Any insight on what might cause this “connect failed / no cluster connection” behavior when ping and DNS are fine would be greatly appreciated!

Michiel Saelen [SLC] [DevOps Enabler] Posted new comment 19th November 2025
Michiel Saelen [SLC] [DevOps Enabler] commented

Maybe worth checking if there is no firewall issue? You could evaluate if a network connection can be made by running from the DMA the following command in powershell 'tnc 10.x.x.x -port 9096'
A B M Sidddique [DevOps Advocate] commented

Hi Michiel , Yes i have checked with TNC and the connection towards the AWS server -its just when trying to initiate the element – there is no connection to the IP server as per logs
Michiel Saelen [SLC] [DevOps Enabler] commented

If there is no problem to setup the network connection, then the next step would be to validate the certificate used. If you have the certificate used, then you verify on both servers if it is trusted. Can you check if it could be related to root certificates being available on one Windows machine, but not the other or if there is a difference in policies?