cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
785
Views
0
Helpful
0
Replies

ACS - LDAP TCP Keepalive (v5.2)

rob.schieron
Level 1
Level 1

reposting as with subject including v5.2:

--------

Hello

I have an ACS 4.2.1.15 patch 3 and Novell Netware LDAP Server separated by a Firewall. The Firewall's default tcp session timeout is 3600 seconds.

When no LDAP-Request is made for over one hour, the Firewall drops the connection from its table. The Problem is, that the ACS-Server thinks the connection is still open. When it tries to send an LDAP-Query this results in retransmissions and finally a RST... On the User side the Authentication attempt fails (timeout).

I tried to enable TCP Keepalives on the Windows-Server side, but this has no effect on the LDAP-Connections used by ACS.

Is there any possibility to enable Keepalives in ACS?

Thanks in advance for any help!

Average Rating: 0 (0 Votes)
Outline View
EmployeeJavier Henderson
1. Dec 28, 2010 5:54 PM in response to: Zentraler Informatikdienst
Re: ACS 4.2 - LDAP TCP Keepalive

You are seeing the effects of bug CSCti03338 which I filed a few months ago, though it is supposed to be fixed on 4.2.1(15) patch 3. Please open a TAC case so we can look into this in detail.

 Juergen Meier

Apparently this bug has re-appeared in ACS 5.2 (5.2.0.26). ACS re-uses stale TCP connections many hours after the last TCP packet was sent.

It also uses different TCP connections for LDAP search queries and the subsequent authentication bind requests, so sometimes the search query and sometimes the bind request fails due to the TCP connection been timed-out long ago on all network devices (stateful firewalls, IDS/IPS, load balancers) between the ACS and the LDAP servers.

Further ACS fails to detect stale TCP connections and reports bogus authentication failures back to the NAS.

A new ticket will be filed with TAC today.

 ROB SCHIERON

I'm seeing this issue too on 5.2.0.26.1, running LDAP auth through a F5 Load Balancer to a pair of Sun directory servers.

Did you make any progress with your TAC case?

Without using the root patch, this command is useful for finding out what is going on (it's just netstat):

# show tech-support | i ldap | i tcp

ldap            389/tcp

ldaps           636/tcp                         # LDAP over SSL

tcp        0      0 exc2-acscor-1401:53892      acs.ldapunix.co:ldap ESTABLISHED

tcp        0      0 exc2-acscor-1401:53893      acs.ldapunix.co:ldap ESTABLISHED

tcp        0      0 exc2-acscor-1401:53890      acs.ldapunix.co:ldap ESTABLISHED

tcp        0      0 exc2-acscor-1401:53891      acs.ldapunix.co:ldap ESTABLISHED

tcp        0      0 exc2-acscor-1401:53889      acs.ldapunix..co:ldap ESTABLISHED

Also try adjusting "Max. Admin Connections" for LDAP.
From the admin guide:

LDAP Connection Management


ACS 5.1 supports multiple concurrent LDAP connections. Connections are opened on demand at the time of the first LDAP authentication. The maximum number of connections is configured for each LDAP server. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined according to the maximum number of administration connections configured for each server.

ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.

If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection.

After the authentication process is complete, the connection manager releases the connection to the connection manager.


I'd be interested to hear if you have fixed your issue, or if anyone else is facing similar problems load balancing LDAP servers for the ACS.
Cheers
R.

0 Replies 0