LDAP: QueryAD_Default timed out message help!

smills · ‎07-26-2011

Hi

Since a power down over the weekend our C160 which is running version 7.0.1-010 our Ironport device is reporting alerts:

We are getting the message:

LDAP: query AD_Default.accept result inquiry timed out

Can anyone help what could be wrong?

Thanks

Christopher Smith · ‎07-26-2011

Greetings,

You have likely lost connectivity to your AD server. I would first recommend enabling the LDAP debug logs so you can obtain more data. In addition you may want to try to test connectivity from your appliance via the CLI using telnet. You can then telnet to the AD server on the specified port 389, or 3268. Generally this is an issue with either connectivity or DNS. If the look up fails when you try to telnet using the hostname try the IP. If the IP works and the host name does not then this likely a DNS issue.

arheel.cisco.com> ldapconfig

Current LDAP server configurations:

1. Campbell: (64.102.157.29:3268)

2. Joe-Ldap: (10.92.152.122:389)

3. vada: (10.92.152.122:389)

Choose the operation you want to perform:

- NEW - Create a new server configuration.

- EDIT - Modify a server configuration.

- DELETE - Remove a server configuration.

- SETUP - Configure LDAP options.

- ADVANCED - Configure advanced LDAP queries.

[]>

tarheel.cisco.com>

tarheel.cisco.com> telnet

Please select which interface you want to telnet from.

1. Auto

2. Data 1 (14.36.191.8/16: tarheel2.cisco.com)

3. Data 2 (172.18.124.51/24: test.cisco.com)

[1]>

Enter the remote hostname or IP address.

[]> 64.102.157.29

Enter the remote port.

[25]> 3268

Trying 64.102.157.29...

Connected to dhcp-64-102-157-29.cisco.com.

Escape character is '^]'.

Below are instructions on setting up the debug logs.

An important feature within the IronPort C-Series appliance is its logging capabilities. AsyncOS can generate many types of logs, recording varying types of information. Log files contain the records of regular operations and exceptions from various components of the system. This information can be valuable when monitoring your IronPort C-Series appliance as well as when troubleshooting or checking performance.

Logs can be configured and created through the IronPort CLI using the logconfig command or via the GUI. See the link below for configurng logs via the GUI.

Below is an example of creating a LDAP debug log subscription using the CLI:.

ironport.com> logconfig
Currently configured logs: 1. "antivirus" Type: "Anti-Virus Logs" Retrieval: FTP Poll 2. "avarchive" Type: "Anti-Virus Archive" Retrieval: FTP Poll 3. "bounces" Type: "Bounce Logs" Retrieval: FTP Poll 4. "brightmail" Type: "Symantec Brightmail Anti-Spam Logs" Retrieval: FTP Poll 5. "cli_logs" Type: "CLI Audit Logs" Retrieval: FTP Poll 6. "error_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll 7. "ftpd_logs" Type: "FTP Server Logs" Retrieval: FTP Poll 8. "gui_logs" Type: "HTTP Logs" Retrieval: FTP Poll 9. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll 10. "rptd_logs" Type: "Mailflow Report Logs" Retrieval: FTP Poll 11. "sntpd_logs" Type: "NTP logs" Retrieval: FTP Poll 12. "status" Type: "Status Logs" Retrieval: FTP Poll 13. "system_logs" Type: "System Logs" Retrieval: FTP Poll
Choose the operation you want to perform: - NEW - Create a new log. - EDIT - Modify a log subscription. - DELETE - Remove a log subscription. - SETUP - General settings. - LOGHEADERS - Configure headers to log. - HOSTKEYCONFIG - Configure SSH host keys. []> new
Choose the log file type for this subscription: 1. IronPort Text Mail Logs 2. qmail Format Mail Logs 3. Delivery Logs 4. Bounce Logs 5. Status Logs 6. Domain Debug Logs 7. Injection Debug Logs 8. System Logs 9. CLI Audit Logs 10. FTP Server Logs 11. HTTP Logs 12. NTP logs 13. Mailflow Report Logs 14. Symantec Brightmail Anti-Spam Logs 15. Symantec Brightmail Anti-Spam Archive 16. Anti-Virus Logs 17. Anti-Virus Archive 18. LDAP Debug Logs [1]> 18
Please enter the name for the log: []> ldap_debug
Choose the method to retrieve the logs. 1. FTP Poll 2. FTP Push 3. SCP Push [1]>
Filename to use for log files: [ldap.log]>
Please enter the maximum file size: [10485760]>
Please enter the maximum number of files: [10]>
Currently configured logs: 1. "antivirus" Type: "Anti-Virus Logs" Retrieval: FTP Poll 2. "avarchive" Type: "Anti-Virus Archive" Retrieval: FTP Poll 3. "bounces" Type: "Bounce Logs" Retrieval: FTP Poll 4. "brightmail" Type: "Symantec Brightmail Anti-Spam Logs" Retrieval: FTP Poll 5. "cli_logs" Type: "CLI Audit Logs" Retrieval: FTP Poll 6. "error_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll 7. "ftpd_logs" Type: "FTP Server Logs" Retrieval: FTP Poll 8. "gui_logs" Type: "HTTP Logs" Retrieval: FTP Poll 9. "ldap_debug" Type: "LDAP Debug Logs" Retrieval: FTP Poll 10. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll 11. "rptd_logs" Type: "Mailflow Report Logs" Retrieval: FTP Poll 12. "sntpd_logs" Type: "NTP logs" Retrieval: FTP Poll 13. "status" Type: "Status Logs" Retrieval: FTP Poll 14. "system_logs" Type: "System Logs" Retrieval: FTP Poll
Choose the operation you want to perform: - NEW - Create a new log. - EDIT - Modify a log subscription. - DELETE - Remove a log subscription. - SETUP - General settings. - LOGHEADERS - Configure headers to log. - HOSTKEYCONFIG - Configure SSH host keys. []>
ironport.com> commit

Below is an example for editing an existing log.

ironport.com> logconfig
Currently configured logs: 1. "antivirus" Type: "Anti-Virus Logs" Retrieval: FTP Poll 2. "avarchive" Type: "Anti-Virus Archive" Retrieval: FTP Poll 3. "bounces" Type: "Bounce Logs" Retrieval: FTP Poll 4. "brightmail" Type: "Symantec Brightmail Anti-Spam Logs" Retrieval: FTP Poll 5. "cli_logs" Type: "CLI Audit Logs" Retrieval: FTP Poll 6. "error_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll 7. "ftpd_logs" Type: "FTP Server Logs" Retrieval: FTP Poll 8. "gui_logs" Type: "HTTP Logs" Retrieval: FTP Poll 9. "ldap_debug" Type: "LDAP Debug Logs" Retrieval: FTP Poll 10. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll 11. "rptd_logs" Type: "Mailflow Report Logs" Retrieval: FTP Poll 12. "sntpd_logs" Type: "NTP logs" Retrieval: FTP Poll 13. "status" Type: "Status Logs" Retrieval: FTP Poll 14. "system_logs" Type: "System Logs" Retrieval: FTP Poll
Choose the operation you want to perform: - NEW - Create a new log. - EDIT - Modify a log subscription. - DELETE - Remove a log subscription. - SETUP - General settings. - LOGHEADERS - Configure headers to log. - HOSTKEYCONFIG - Configure SSH host keys. []> edit
Enter the number of the log you wish to edit. []> 9
Please enter the name for the log: [ldap_debug]>
Choose the method to retrieve the logs. 1. FTP Poll 2. FTP Push 3. SCP Push [1]>
Please enter the filename for the log: [ldap.log]>
Please enter the maximum file size: [10485760]> 52422880
Please enter the maximum number of files: [10]> 100
Currently configured logs: 1. "antivirus" Type: "Anti-Virus Logs" Retrieval: FTP Poll 2. "avarchive" Type: "Anti-Virus Archive" Retrieval: FTP Poll 3. "bounces" Type: "Bounce Logs" Retrieval: FTP Poll 4. "brightmail" Type: "Symantec Brightmail Anti-Spam Logs" Retrieval: FTP Poll 5. "cli_logs" Type: "CLI Audit Logs" Retrieval: FTP Poll 6. "error_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll 7. "ftpd_logs" Type: "FTP Server Logs" Retrieval: FTP Poll 8. "gui_logs" Type: "HTTP Logs" Retrieval: FTP Poll 9. "ldap_debug" Type: "LDAP Debug Logs" Retrieval: FTP Poll 10. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll 11. "rptd_logs" Type: "Mailflow Report Logs" Retrieval: FTP Poll 12. "sntpd_logs" Type: "NTP logs" Retrieval: FTP Poll 13. "status" Type: "Status Logs" Retrieval: FTP Poll 14. "system_logs" Type: "System Logs" Retrieval: FTP Poll
Choose the operation you want to perform: - NEW - Create a new log. - EDIT - Modify a log subscription. - DELETE - Remove a log subscription. - SETUP - General settings. - LOGHEADERS - Configure headers to log. - HOSTKEYCONFIG - Configure SSH host keys. []>
ironport.com> commit

$REFERENCES

For more information about Creating a Log Subscription in the GUI, see the AsyncOS Advanced User Guide on the IronPort

Christopher C Smith

CSE
Cisco IronPort Customer Support

Enrico Werner · ‎08-01-2011

Hi,

This alert is sent based on the AsyncOS 7.0.1 release. However, the issue has already been existing earlier, but was unnoticed due to the absent of this alert in previous AsyncOS releases.

One reason for this alert could be also a firewall interrupting idle TCP session. The IronPort Appliance will establish all sessions and then wait for queries to sent. It will only reconnect after 6 hours or 10.000 queries, whatever comes first.

If a router/firewall interrupts the session after e.g. an timeout of 240 sec then such an inquiry timeout can be triggered. For the production it has no real impact as it will immediately reconnect and resent the query. So in fact the issue is not critical and does not result in a loss of email traffic.

The behavior has changed in version 7.1 where only a consolidated notification is sent out. Please upgrade to that version of AsyncOS to have the issue solved.

Regards,

Enrico

rwaqanitoga · ‎08-01-2011

Thanks,

Ruveni