FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
slovepreet
Staff
Staff
Article Id 252955
Description

This article describes how to troubleshoot the 'Invalid LDAP server' Error.

Scope FortiGate.
Solution

Sometimes, the LDAP server is connected successfully and can authenticate the username as well against the LDAP server.

When the group information is trying to be pulled, it will give the error 'Invalid LDAP server'. It will keep loading as shown in the picture.

 
error.jpg.png
 
  • It will give the error 'Invalid LDAP server'.
  • If a Wireshark capture is run, 'abandon request' information will appear:

 

Picture1.png

  • As seen in the packet capture there is a 5-second delay between the messages. Also, the messages are sent from FortiGate, but there is no response.
  • As a result, when the FortiGate does not receive a response in time, it will send an AbandonRequest. To stop operation on the LDAP server, if it was responding.
  • There could be multiple reasons for that, but one reason is that there might be some latency in the customer environment and that’s why this operation does not get completed.

 

Solution:

 

Ideally, this issue will not appear. The reason here is that the remote LDAP server is not responding in time. See to address that with the network and server team responsible. To workaround this issue, it is possible to increase the value of remote authentication timeout:

 

config system global

    set remoteauthtimeout 300 <-----  The default value is set to 5 seconds, the same as what the packet capture had shown above.

end

 

For further LDAP troubleshooting refer to this article below:

Troubleshooting Tip: FortiGate LDAP

 

  • It is also possible to try using the BIND type on the LDAP server as Regular and enter the credentials.
  • After that, it is possible to go back and check again if it still shows the same error.
  • If it shows the same error, collect a packet capture between FortiGate's IP and LDAP server before replicating the issue:


diagnose sniffer packet any 'host (x.x.x.x and y.y.y.y) and port 389' 6 0 l

To convert packet capture to Wireshark readable: Technical Tip: How to import 'diagnose sniffer packet' data to WireShark.

Once the issue is replicated, it should be possible to see the flow/communication.

The 'Invalid Server Error' may also be encountered if searching by the wrong DN [Searchrequest field in packet capture] as showcased in the following screenshot. The DN set on the FortiGate was 'DC=T3stconsulting' but the actual DN on the server was 'dc=Testconsulting', hence the following error was observed in the packet capture.
                                               
Invalid Server Error.PNG

 

If the issue persists, contact Fortinet Support.

 

It is also possible to receive an 'invalid LDAP server' error in FortiGate LDAP servers while performing a DN query:

 

10182157-3 -edit.png

The error below, if it appeared in the fnbamd debug and packet capture for the LDAP, indicates a binding issue and a need to perform the change on the AD server. The issue can be addressed from Microsoft side by adding a registry to the Window Server.

 

[1186] fnbamd_ldap_parse_response-Error 1(000004DC: LdapErr: DSID-0C090BA8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839)

 

In another scenario, the FortiGate gives the same error 'Invalid LDAP server', but doing the packet capture and the fnbamd debugs shows  the error 'In order to perform this operation a successful bind must be completed on the connection'. 

the error indicated a binding issue and need to perform the change on AD server, the issue can be addressed from Microsoft side by adding a registry to the Windows Server. See this document.

 

kb 6.3.jpg

 

kb 6.4.PNG

 

After making sure the aforementioned steps are completed, it can be seen in the packet capture that the bind from the FortiGate is successful but the LDAP server replies with an operations error: 'In order to perform this operation, a successful bind must be completed on the connection'. This is an issue on the LDAP server side, so check for changes or updates on the LDAP server.