ACS - LDAP TCP Keepalive (v5.2)

rob.schieron — Mon, 11 Mar 2019 00:49:26 GMT

reposting as with subject including v5.2:

--------

Hello

I have an ACS 4.2.1.15 patch 3 and Novell Netware LDAP Server separated by a Firewall. The Firewall's default tcp session timeout is 3600 seconds.

When no LDAP-Request is made for over one hour, the Firewall drops the connection from its table. The Problem is, that the ACS-Server thinks the connection is still open. When it tries to send an LDAP-Query this results in retransmissions and finally a RST... On the User side the Authentication attempt fails (timeout).

I tried to enable TCP Keepalives on the Windows-Server side, but this has no effect on the LDAP-Connections used by ACS.

Is there any possibility to enable Keepalives in ACS?

Thanks in advance for any help!

Average Rating: 0 (0 Votes)

Reply

Outline View

Javier Henderson

159 posts sinceMar 12, 2010

1. Dec 28, 2010 5:54 PM in response to: Zentraler Informatikdienst

Re: ACS 4.2 - LDAP TCP Keepalive

You are seeing the effects of bug CSCti03338 which I filed a few months ago, though it is supposed to be fixed on 4.2.1(15) patch 3. Please open a TAC case so we can look into this in detail.

ACS 4.2 - LDAP TCP Keepalive ACS 4.2 - LDAP TCP Keepalive ACS 4.2 - LDAP TCP Keepalive ACS 4.2 - LDAP TCP Keepalive ACS 4.2 - LDAP TCP Keepalive

Average Rating: 0 (0 Votes)

Report Abuse
Reply

Juergen Meier

2 posts sinceSep 28, 2010

2. Jan 17, 2011 5:46 AM in response to: Javier Henderson

Also ACS 5.2 (was: ACS 4.2 - LDAP TCP Keepalive)

Apparently this bug has re-appeared in ACS 5.2 (5.2.0.26). ACS re-uses stale TCP connections many hours after the last TCP packet was sent.

It also uses different TCP connections for LDAP search queries and the subsequent authentication bind requests, so sometimes the search query and sometimes the bind request fails due to the TCP connection been timed-out long ago on all network devices (stateful firewalls, IDS/IPS, load balancers) between the ACS and the LDAP servers.

Further ACS fails to detect stale TCP connections and reports bogus authentication failures back to the NAS.

A new ticket will be filed with TAC today.

ACS 4.2 - LDAP TCP Keepalive ACS 4.2 - LDAP TCP Keepalive ACS 4.2 - LDAP TCP Keepalive ACS 4.2 - LDAP TCP Keepalive ACS 4.2 - LDAP TCP Keepalive

Average Rating: 0 (0 Votes)

Report Abuse
Reply

ROB SCHIERON

5 posts sinceOct 20, 2010

3. Feb 14, 2011 10:29 PM in response to: Juergen Meier

Re: Also ACS 5.2 (was: ACS 4.2 - LDAP TCP Keepalive)

I'm seeing this issue too on 5.2.0.26.1, running LDAP auth through a F5 Load Balancer to a pair of Sun directory servers.

Did you make any progress with your TAC case?

Without using the root patch, this command is useful for finding out what is going on (it's just netstat):

# show tech-support | i ldap | i tcp

ldap 389/tcp

ldaps 636/tcp # LDAP over SSL

tcp 0 0 exc2-acscor-1401:53892 acs.ldapunix.co:ldap ESTABLISHED

tcp 0 0 exc2-acscor-1401:53893 acs.ldapunix.co:ldap ESTABLISHED

tcp 0 0 exc2-acscor-1401:53890 acs.ldapunix.co:ldap ESTABLISHED

tcp 0 0 exc2-acscor-1401:53891 acs.ldapunix.co:ldap ESTABLISHED

tcp 0 0 exc2-acscor-1401:53889 acs.ldapunix..co:ldap ESTABLISHED

Also try adjusting "Max. Admin Connections" for LDAP.

From the admin guide:

LDAP Connection Management

ACS 5.1 supports multiple concurrent LDAP connections. Connections are opened on demand at the time of the first LDAP authentication. The maximum number of connections is configured for each LDAP server. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined according to the maximum number of administration connections configured for each server.

ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.

If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection.

After the authentication process is complete, the connection manager releases the connection to the connection manager.

I'd be interested to hear if you have fixed your issue, or if anyone else is facing similar problems load balancing LDAP servers for the ACS.

Cheers

topic ACS - LDAP TCP Keepalive (v5.2) in Network Access Control

ACS - LDAP TCP Keepalive (v5.2)