Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1844
Views
0
Helpful
6
Replies

Ironport SMA Login & LDAP

jtsai8585
Level 1
Level 1

‎06-13-2017 09:30 AM

We frequently experience login failure to the GUI Page of the SMA and we'll need to wait 10 to 30 seconds before trying again.  The same behavior for ssh connections.  The SMA and our Windows domain controllers are on the same network so there are no blockage to the path.  There are hundreds of other servers and applications that uses these domain controllers without issues.  Am I the only one experiencing this odd behavior?  I don't see much discussion and TAC isn't able to resolve this.

In LDAP_Debug_Log, I see the following entries frequently,

(538) Connection Error: [Errno 54] 

(538) Connection interrupted (writer)

Labels:
0 Helpful
6 Replies 6

Ken Stieers
VIP
VIP

‎06-13-2017 09:50 AM

I'm fairly certain that the "[Errno 54]" is an LDAP error. 

That number is a loop detect error, so I'd dig in and make sure you don't have self referential groups, or groups that have other groups that have the original group in it, or aliases that point to one another... that sort of weirdness...

Ken

0 Helpful

jtsai8585
Level 1
Level 1
In response to Ken Stieers

‎06-13-2017 10:33 AM

Just checked our AD and there are no circular nested group.... using Microsoft's script center's Find Circular Nested Groups powershell.

https://gallery.technet.microsoft.com/scriptcenter/fa4ccf4f-712e-459c-88b4-aacdb03a08d0

0 Helpful

Ken Stieers
VIP
VIP
In response to jtsai8585

‎06-13-2017 10:42 AM

in the SMA.

1. make sure you have a local admin account so you don't get your self in trouble.

2. remove all but one DC from the ldap config

3. Turn up diagnostic logging on that DC and see what you get.   I assume you have the ldap log on the SMA turned all the way up too??    here's the reference on turning up LDAP logging on Windows: https://technet.microsoft.com/en-us/library/cc961809.aspx  

0 Helpful

jtsai8585
Level 1
Level 1
In response to Ken Stieers

‎06-13-2017 11:02 AM

I'll try the AD debugging.   The SMA log doesn't have levels of logging as far as I can see and that's where I saw some 54 errors which correlates to ironport ldap account login.  With wireshark capture, I see two ldap entries with success authentication.

0 Helpful

Ken Stieers
VIP
VIP
In response to jtsai8585

‎06-13-2017 11:07 AM

Its probably called "external_auth_logs" on the SMA...

That's what its called on WSA/ESA..

 

0 Helpful

jtsai8585
Level 1
Level 1
In response to Ken Stieers

‎06-13-2017 02:05 PM

This error 54 does not appear to be the same as LDAP error 54's Nested Group.  This is network error.

LDAP_Debug_Log on the SMA ( following logged every few minutes )

Connection Error: [Errno 54] Connection reset by peer

Increasing loggin on the DC shows LDAP client connection was closed because of an error and timeout....

This happens on both of our physical SMA appliance that is on the same network as the Domain Controllers.

Event ID 1317

Internal event: The directory service has disconnected the LDAP connection from the following network address due to a time-out.

Network address:
x.x.x.x:63770  <<< SMA IP 

Event ID 1216

Internal event: An LDAP client connection was closed because of an error.

Client IP:
x.x.x.x:63758   << SMA

Additional Data
Error value:
1236 The network connection was aborted by the local system.
Internal ID:
c060372

0 Helpful
Customers Also Viewed These Support Documents