Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
MichaelTorres
Staff
Staff

Created on ‎12-26-2024 07:31 AM

Article Id 358165

Troubleshooting Tip: LDAP Access failing due to HA configuration

Description This article explains the behavior where LDAP credentials stop working due to an cluster configuration.
Scope FortiGate.
Solution

LDAP access with no direct changes stops working. In the SSL VPN-FNBAMD debugs the following outputs are seen.

 

[616] fnbamd_pop3_start-user.name
[1100] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'LDAP_new' for usergroup 'GROUP-PRUEBA' (11)
[1150] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 1
[1717] fnbamd_ldap_init-search filter is: sAMAccountName=mike
[1727] fnbamd_ldap_init-search base is: DC=u,DC=edu,DC=pe[1149] __fnbamd_ldap_dns_cb-Resolved LDAP_UPSJB_new:172.45.2.16 to 172.45.2.16, cur stack size:1
[966] __ldap_timeout-LDAP_UPSJB_new:192.168.1.16, addr 192.168.1.16
[934] __ldap_error-LDAP_UPSJB_new:192.168.1.16, addr 192.168.1.16
[724] __ldap_stop-Conn with 192.168.1.16 destroyed.
[924] __fnbamd_ldap_get_next_addr-
[906] __ldap_try_next_server-No more server to try for 'LDAP_new'.
[785] __ldap_done-svr 'LDAP_new'
[755] __ldap_destroy-
[2782] fnbamd_ldap_result-Error (3) for req 39647022

 

According to the following article, the expected result is an established connection: Troubleshooting Tip: FortiGate LDAP troubleshooting and debug logs created by fnbamd

 

[969] __ldap_connect-tcps_connect(192.168.1.10) is established.

 

However, the LDAP TCP connection never works:

  • Checking in the GUI,  both the connectors and the test credentials are correct.
  • However, in the CLI test, the same error is shown

 

UPSJB_MASTER_CHORRIL~089 # di test authserver ldap LDAPTEST mike password
[1906] handle_req-Rcvd auth req 39647727 for mike in LDAPTEST opt=0000001b prot=0
[466] __compose_group_list_from_req-Group 'LDAPTEST', type 1
[1717] fnbamd_ldap_init-search filter is: sAMAccountName=mike
[906] __ldap_try_next_server-No more server to try for 'LDAPTEST'.
[785] __ldap_done-svr 'LDAPTEST'
[755] __ldap_destroy-
[2782] fnbamd_ldap_result-Error (3) for req 39647727
[216] fnbamd_comm_send_result-Sending result 3 (nid 0) for req 39647727, len=2148
[789] destroy_auth_session-delete session 39647727
[755] __ldap_destroy-
[1764] fnbamd_ldap_auth_ctx_free-Freeing 'LDAPTEST' ctx
authenticate 'mike' against 'LDAPTEST' failed!

 

  • In the sniffer, FortiGate is sending multiple packets through the correct interface to the LDAP server. However, there are some SYN packets using the MGMT interface

 

Solution:

In the HA configuration, 'ha direct enable' feature is set.

 

Related article:

Technical Tip: Sending messages (logs, SNMP, RADIUS) directly from the HA management interface

 

  • Because of this feature, FortiGate will try to send the traffic to LDAP servers using the MGMT interface.
  • To solve this issue, configure the source IP of the correct interface in the LDAP connector .

 

config user ldap
    edit "LDAP-fortiad"
        set server "10.88.0.1"
        set source-ip x.x.x.x <----- Replace x.x.x.x with the correct IP of the indicated interface.
    next
57
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.