06-16-2015 05:17 AM - edited 03-18-2019 04:36 AM
I have a cluster of 2 Telepresence VCS-control in same network(vlan) and a cluster of 2 Telepresence Expressway in same DMZ network(vlan). And both are on the same site. On both master peers I have succeded to synch the servers against the ldap server(AD), but the two slave`s with identical config for users/certificate/ldap settings are not successful. . "DNS uable to resolve LDAP server address. It seems to me that the peers don`t trust the certificate.
Solved! Go to Solution.
06-17-2015 05:57 AM
The logs you attached are event logs and not diagnostic logs from the VCS. However from these logs it appears that the VCS slave is not able to establish a connection with the ldap server. So the DNS resolution is probably taking place, but the tcp/tls connection is not establishing.
I would recommend getting a diagnostic log (Maintenance > Diagnostics > Diagnostic logging) while reproducing the connection failure to see what part in the connection is failing.
If you have root access to the VCS Slave you could also login as root via ssh and then issue the following command:
> tcpdump -s0 tcp port <ldap connection port>
Insert the port you are using to connect to ldap in the <ldap connection port> field and then press enter. you will now see all traffic to and from that port. Do you see any resets? Is the traffic in one direction? This should help to figure out why the failure is occurring.
06-16-2015 07:40 AM
2 things to try here:
1) On each peer that is failing to connect to LDAP, go to Maintenance > Tools > Network Utilities > DNS Lookup and try to perform a few DNS lookups. Are you able to resolve anything? This test confirms you have DNS reach-ability. If this fails then you have a potential firewall/ACL issue. If this succeeds, then try option 2.
2) Start a diagnostic log on the peers that are failing. Then try to sync them with LDAP. Once it fails stop the diagnostic log. Filter on the IP or FQDN address you specified for the LDAP server and see if any error messages are thrown. You should get an error/warning if there is a certificate trust issue. If you are using encryption on the LDAP configuration, make sure that the AD server’s certificate is signed by an authority within the VCS peers trusted CA certificates list.
06-16-2015 11:05 AM
1. Done that. And it is resolving correct. I have done this together with the guys responsible for firewalls, AD and DNS.
,
2. Also done that. I have as I mentioned earlier VCS control in a luster (master and slave), in the same subnet, same certificates and same ldap configuration. So if the master trust the certificate, why don`t the slave trust the same certificate, same firewall, same site same rack and same switch
06-16-2015 11:16 AM
Did the diagnostic log not give you any more information? Also what makes you think it is a certificate issue in the first place? If you attach the log perhaps we can help you take a look.
06-16-2015 11:28 AM
Ok, I`ll do that tomorrow when I`m at work again :)
06-17-2015 05:57 AM
Ok, here`s the logs. One from the master(working), and one from the slave(not working), But when using the DNS lookup tool I receive a response from the server with correct IP.
06-17-2015 05:57 AM
The logs you attached are event logs and not diagnostic logs from the VCS. However from these logs it appears that the VCS slave is not able to establish a connection with the ldap server. So the DNS resolution is probably taking place, but the tcp/tls connection is not establishing.
I would recommend getting a diagnostic log (Maintenance > Diagnostics > Diagnostic logging) while reproducing the connection failure to see what part in the connection is failing.
If you have root access to the VCS Slave you could also login as root via ssh and then issue the following command:
> tcpdump -s0 tcp port <ldap connection port>
Insert the port you are using to connect to ldap in the <ldap connection port> field and then press enter. you will now see all traffic to and from that port. Do you see any resets? Is the traffic in one direction? This should help to figure out why the failure is occurring.
07-13-2015 07:11 AM
Sorry for not following up this post until now, but here`s an excerpt of the log.
VCS-C-Master looks like this:
TCP Dump from the failing server (Slave):
61 Alert (Level: Fatal, Description: Unknown CA)
If you need the complete logs, is it a way to send them to you without publishing them here?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: