https://live.paloaltonetworks.com/t5/next-generation-firewall/ldaps-tls-handshake-failure/m-p/553784#M1730 <P>Hello Oliver,</P> <P>Thank you for advice.</P> <P>I've already checked the cert on the DC and also tried to replace it by stronger cert (RSA3072 | SHA384), but with no luck.Your advice I checked too. There is a difference: in case the DC uses RSA2048 or RSA3072 cert, the NGFW sends RST packet right after "Server Hello" message, in other case when it uses RSA4096 - the DC sends RST packet right after Client Hello message. I'm going to check if it related on Microsoft OS version.</P> <P>DM</P> Tue, 15 Aug 2023 14:18:28 GMT m0tash 2023-08-15T14:18:28Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ldaps-tls-handshake-failure/m-p/553634#M1718 <P>Hello,</P> <P>I upgraded one of our PA devices from 10.1.9 to 10.2.4-h4. LDAPS was configured to access and gather user's info from DC. But it stoped working after upgrade. I captured traffic and saw following error - TLS Handshake Failure. I know that starting version 10.2 Palo Alto Networks has changed requrements for certificates. I checked ours and looks like it meets minimal certifcate requerements (RSA2048, SHA256). Currently we use LDAP but I'd like to switch back to LDAPS.</P> <P>I appreciate any help.</P> Mon, 14 Aug 2023 10:13:54 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ldaps-tls-handshake-failure/m-p/553634#M1718 m0tash 2023-08-14T10:13:54Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ldaps-tls-handshake-failure/m-p/553725#M1726 <P>Hello M0tash,</P> <P>&nbsp;</P> <P>Can you check the parameters of the certificate on the server side (LDAP server)?<BR />Increase the security level of the certificate (for instance : number of bits to 4096 bits // digest SHA512) and check if this works.</P> <P>&nbsp;</P> <P>Olivier</P> Tue, 15 Aug 2023 03:29:45 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ldaps-tls-handshake-failure/m-p/553725#M1726 ozheng 2023-08-15T03:29:45Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ldaps-tls-handshake-failure/m-p/553784#M1730 <P>Hello Oliver,</P> <P>Thank you for advice.</P> <P>I've already checked the cert on the DC and also tried to replace it by stronger cert (RSA3072 | SHA384), but with no luck.Your advice I checked too. There is a difference: in case the DC uses RSA2048 or RSA3072 cert, the NGFW sends RST packet right after "Server Hello" message, in other case when it uses RSA4096 - the DC sends RST packet right after Client Hello message. I'm going to check if it related on Microsoft OS version.</P> <P>DM</P> Tue, 15 Aug 2023 14:18:28 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ldaps-tls-handshake-failure/m-p/553784#M1730 m0tash 2023-08-15T14:18:28Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ldaps-tls-handshake-failure/m-p/553872#M1736 <P>Hello M0tash,&nbsp;</P> <P>&nbsp;</P> <P>I did not ask, but your management interface is initiating the traffic to the LDAPS servers or you are using a service route?</P> <P>If you use the management interface, is the traffic passing through a firewall doing some decryption?</P> <P>&nbsp;</P> <P>It can be interesting to capture the communication if you're opening a case to TAC (or the TAC engineer can also do the capture too).</P> <P>&nbsp;</P> <P>Olivier</P> Wed, 16 Aug 2023 01:55:47 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ldaps-tls-handshake-failure/m-p/553872#M1736 ozheng 2023-08-16T01:55:47Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ldaps-tls-handshake-failure/m-p/553912#M1737 <P>Hello Oliver,</P> <P>I checked it on my test enviroment too. Mgmt interface is used for communication to DC, there is no configured service route for that. Mgmt interface and DC are in same subnet, there is no additional FWs between devices. Ok, I'll try to open TAC.</P> <P>Thank you!</P> Wed, 16 Aug 2023 07:12:59 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ldaps-tls-handshake-failure/m-p/553912#M1737 m0tash 2023-08-16T07:12:59Z