Broken LDAP

Forum|Forum|12 years ago
August 8, 2013
3 replies
7746 views

Hi there, We had setup SSL VPN and it was working fine. The remote users could authenticate to the AD using LDAP and everything worked fine up until they changed the LDAP port from 389 to 340. Now the users cannot connect. I changed the LDAP port from 389 to 340 on the Firewall. I debugged the ssl vpn and got the foll logs: [96:FXV10068]sslvpn_authenticate_user:124 authenticate user: rtest [96:FXV10068]sslvpn_authenticate_user:130 create fam state fnbamd_fsm.c[1262] handle_req-Rcvd auth req 6291516 for rtest in LDAP VPN SSL Users opt=256 prot=9 fnbamd_auth.c[228] radius_start-Didn' t find radius servers (0) fnbamd_auth.c[582] auth_tac_plus_start-Didn' t find tac_plus servers (0) fnbamd_ldap.c[637] resolve_ldap_FQDN-Resolved address 192.168.x.y, result 192.168.x.y fnbamd_ldap.c[1117] fnbamd_ldap_start-Error in ldap_sasl_bind fnbamd_auth.c[356] ldap_start-Failed to start ldap request for 192.168.x.y fnbamd_fsm.c[176] create_auth_session-Error starting authentication fnbamd_fsm.c[1275] handle_req-Error creating session fnbamd_comm.c[116] fnbamd_comm_send_result-Sending result 3 for req 6291516 [96:FXV10068]sslvpn_auth_check_policy:1978 [96:FXV10068]policy_match_check:1512 checking policy 39 for incoming policy [96:FXV10068]policy_match_check:1516 checking policy cipher setting [96:FXV10068]policy_match_check:1522 checking policy local username [96:FXV10068]policy_match_check:1550 address matched: 1 [96:FXV10068]policy_match_check:1556 return 0 [96:FXV10068]sslvpn_authenticate_user:124 authenticate user: rtest [96:FXV10068]sslvpn_authenticate_user:130 create fam state fnbamd_fsm.c[1262] handle_req-Rcvd auth req 6291517 for rtest in LDAP VPN SSL Users opt=256 prot=9 fnbamd_auth.c[228] radius_start-Didn' t find radius servers (0) fnbamd_auth.c[582] auth_tac_plus_start-Didn' t find tac_plus servers (0) fnbamd_auth.c[323] ldap_start-Didn' t find ldap servers (0) fnbamd_fsm.c[176] create_auth_session-Error starting authentication fnbamd_fsm.c[1275] handle_req-Error creating session I tested the same user name using the diag test command and I have pasted the output below: FW1 (FV10022) # diag test authserver ldap DC01 rtest paassword authenticate ' robtest' against ' DC01' failed! Does this output indicate that the firewall is able to communicate to the DC? Can someone please suggest if there is anything else that needs to be done. Thanks Anu

neonbit

New Member

When you edit the LDAP server and change the port number, does the ' Test' button give you ' Successful' or an error (like ' Server unreachable' )? Are you able to telnet to the AD server on port 340? (execute telnet <ipaddress> 340). With the LDAP telnet you won' t get any response back but the connection will open. To see a failed telnet, you can telnet to 341 for example then it should d/c immediately. I' ve tried the test here and can confirm that the ' failed' error you' re receiving happens both when you try to connect to a correctly configured server (but enter the wrong credentials) or when you can' t connect to the LDAP server correctly (incorrect port, ip, no connectivity etc). It looks to be a catch all error. Have you tried creating a new LDAP server with the new port number?

AnneAuthor

New Member

Thanks neonbit. As suggested by you, I telnet the LDAP server and got a " timeout" FW1 (VDOM2) # execute telnet 192.168.x.y 340 Timeout! Here is the sniff output FW1 (VDOM2) # diag sniffer packet any ' host 192.168.x.y' 4 interfaces=[any] filters=[host 192.168.2.2] 11.533604 port3.441 out 192.168.2.5.12581 -> 192.168.x.y.340: syn 996442636 11.533611 port3 out 192.168.2.5.12581 -> 192.168.x.y.340: syn 996442636 14.528370 port3.441 out 192.168.2.5.12581 -> 192.168.x.y.340: syn 996442636 14.528374 port3 out 192.168.2.5.12581 -> 192.168.x.y.340: syn 996442636 20.528372 port3.441 out 192.168.2.5.12581 -> 192.168.x.y.340: syn 996442636 20.528376 port3 out 192.168.2.5.12581 -> 192.168.x.y.340: syn 996442636 Thanks Anne

neonbit

New Member

Well it doesn' t look like your getting back any syn-ack packets so I think the issue is one of two things: 1. There is a firewall or network device sitting infront of your LDAP server that is blocking port 340 (or it could be on the server itself). 2. LDAP has not been configured correctly to use port 340. Are you able to telnet to the LDAP server on port 340 from another PC thats directly connected to the same subnet? Or ideally, are you able to telnet to the LDAP server from itself (telnet localhost 340). Have you confirmed that LDAP is working correctly with the new port?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded