Dual vault servers that unseal each-other with transit seal type dead lock issue

Hi Community,

We got the problem from Dual vault servers failed, it can not start the vault server successfully.
We setup the vault servers that unseal each-other with transit seal type such as Vault A server can unseal from Vault B server, Vault B server can unseal from Vault A server. We simulate Vault A and Vault B both crashed and try to restart the vault server. But It display below errors: Error checking seal status: Get “”: dial tcp connect: connection refused. Does any solution can build up the vault server? Thanks.

To confirm, VaultA needs to access VaultB’s transit to unseal. And VaultB needs to access VaultA’s transit to unseal?
If yes, this circular dependency has yielded you two Vault clusters that will not be recoverable because neither can start because each depends on the other to get the unseal key constructed.
This architecture is definitely not recommended, sorry for your loss :frowning:

Thanks, Mikegreen. Is it possible to type below command(vault operator unseal -migrate) or any commands to change transit mode to manual mode.

No, sorry. The unseal keys are in the other Vault instance, so if there is no way to get those the cluster is going to be unusable.

Was this a production cluster? If so, you might want to check out the reference architectures on learn.hashicorp.com and make sure it is getting the TLC it needs.

1 Like

Thanks for your professional support. Mike