Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1753
Views
0
Helpful
6
Replies

Cisco 2911 - LDAP Locks up after an login using incorrect password over VPN

Go to solution
rmnr
Level 1
Level 1

ā€Ž03-21-2017 12:12 PM

Hi,

Cisco 2911 - LDAP Locks up after an login using incorrect password over VPN, we have to clear LDAP server using the below command for any user to connect again.

clear ldap server DC01 (DC01 is the ldap server configured)

Below is the debug when any user tries to login using correct password while LDAP is locked out.

ā€œReceive event: read=1, errno=11 (Resource Temporarily Unavailable)"

"LDAP Search Operation result : failed"

We are using Cisco VPN client to connect. Could anyone help us to fix this or find a work around?

Thanks,

Rijath Mohamed

Labels:
Preview file
109 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to rmnr

ā€Ž03-22-2017 02:02 PM

Then this is clearly an IOS issue.

I would try a gold star release such as 15.5.3M5 or 15.4.3M7.

15.6 is bleeding edge new.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

ā€Ž03-21-2017 09:16 PM

What version of software are you running on your 2911?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

ā€Ž03-21-2017 09:18 PM

It looks to me like the LDAP server is returning a "resource temporarily unavailable" error, and the 2911 will be knocking out the LDAP server from further consideration for a period of time - because the server is saying it is sick.

I would check the log on the LDAP server to see if it says anything interesting.

0 Helpful

Go to solution
rmnr
Level 1
Level 1
In response to Philip D'Ath

ā€Ž03-22-2017 07:09 AM

Thank you for replying, Philip

LDAP server does not log any error when authentication is failing, more over this starts happening after updating IOS from 15.2.4 M6 to 15.6.3 M1 - issue exists in the version 152-4.M6 as well.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to rmnr

ā€Ž03-22-2017 02:02 PM

Then this is clearly an IOS issue.

I would try a gold star release such as 15.5.3M5 or 15.4.3M7.

15.6 is bleeding edge new.

0 Helpful

Go to solution
rmnr
Level 1
Level 1
In response to Philip D'Ath

ā€Ž03-23-2017 01:33 PM

I do not think that will work either, Phillip. We are going to test it will AnyConnect! :) thank you for helping me out.

0 Helpful

Go to solution
rmnr
Level 1
Level 1
In response to Philip D'Ath

ā€Ž03-27-2017 05:09 AM

Hi Philip,

Found a workaround for this issue:

  • LDAP requests are successfully authenticated until any one of the user connects with an incorrect password
  • From that moment, 'User is rejected'  message will be send by router even when a user tries with correct password
  • Packet captures in server was throwing the error that a 'Successful bind is required to perform this action'
  • So I added the 'bind-first' to the LDAP server config
  • Now binding is successful, but router searching in the base-dn string, not searching inside the OU
  • Updated base-dn value to complete string to the OU where user is  located

So now LDAP on router is not getting locked if a user tries incorrect password, they are able to connect with correct password without clearing active LDAP server session

I too believe that this is an issue with the IOS code, but we are happy as long as the above solution work for us. :)

Thank you, 

Rijath Mohammed

0 Helpful
Customers Also Viewed These Support Documents