Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
701
Views
0
Helpful
3
Replies

Cisco ACE 4710 : LDAP over SSL load balancing issue

batulzii.y
Level 1
Level 1

‎04-02-2015 02:26 AM

Hi all,

I have a some problem in loadbalancing LDAP over SSL traffic on Cisco ACE 4710. Below is our detail.

1. All users connect to enterprise web application through LDAP over SSL on dc1.company.local.

2. If dc1.company.local fails, all users unable to login to enterprise web application. So we decided to load balance LDAPs traffic to dc1.company.local and dc2.company.local.

3. We have local CA. All certificates used in local communication are issued by local CA, including domain controller authentication certificates.

 

Below are what we do for loadbalancing LDAPs traffic.

1. Exported dc1.company.local certificate and key. Copied them to Cisco ACE.

2. Configured LDAPs loadbalancing like this 

3. After that users are unable to login to ldaps. Error message is "Could not connect to LDAP server".

So I captured network packets on client pc and domain controllers. Below is wireshark analys.

1. Client connection to loadbalancer is successful. Clients connected to loadbalancer VIP without certificate error. SSL handshake is ok.

2. Loadbalancer successfully forwarded ldaps traffic to domain controllers.

3. On the domain controller, it's resetting ldaps packets from the loadbalancer.

 

If you configured loadbalancing for LDAP over SSL before, please share your practices. 

Thanks guys.

 

 

 

 

 

Labels:
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎04-02-2015 12:43 PM

Hi,

I am not aware of any guide but why is your domain controller rejecting packets from loadbalancer? Is it expecting something which is not being sent or something needs to be configured on domain controller for loadbalancer?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

batulzii.y
Level 1
Level 1
In response to Kanwaljeet Singh

‎04-02-2015 05:11 PM

Successful 3 way handshake, certificate key exchange, application data transmission and after that RST packet. Something goes wrong. Still finding why it's rejecting packets.

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to batulzii.y

‎04-03-2015 07:06 AM

Hi,

What do you see at the backend? If you are doing SSL termination, the backend should be in clear text unless you are doing end to end ssl. If clear text you can clearly see at the backend why the connection is getting rejected and who is doing it. That should narrow down the problem a bit.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card