New Member

Question

[FortiGate 60D] Notification: Can't contact LDAP server

Forum|Forum|7 years ago
April 29, 2019
2 replies
13316 views

Dear all,

Please let me know why don't ping from FortiGate Router to Active Directory server? But ping from Active Directory server to FortiGate Router is OK. I trying to setup LDAP server but get the error: "Can't contact LDAP server". I tried it all. Suggest me the next step. What should I check from?

Screenshot_1.jpg

SuperUser

Probably the source address for ping/LDAP is not correct.

Test with ping first.

exec ping-option source a.b.c.d

sets the FGT's source address to one of it's interfaces. You cannot choose an arbitrary address, that is.

In the CLI there is a "source-address" setting for LDAP as well, look in "config auth ldap".

Staff

Have you checked following ..

- routing on FGT, and all the way to LDAP .. any asymmetry or routing issue ?

- firewall on the way not allowing ICMP from FGT but allowing it from LDAP ?

- any firewall on LDAP/AD itself ?

- on FGT what's on packet capture .. any ingress of ICMP ?

- on FGT any local in policy preventing that ?

- on FGT what's in flow debug ?

I guess that some of those steps will give you a hint what's going on.

dzt0Author

New Member

I try ping-options, it works My Active Directory server is 10.0.1.1 I need to check the Source address on FGT, right? How to check it?

Staff

how about packet capture of the outgoing traffic?

for example: diag sniff pack any 'host 10.0.1.1 and icmp' 4 0 a

More on basic tools

https://kb.fortinet.com/k...amp;externalId=FD30038