https://live.paloaltonetworks.com/t5/next-generation-firewall/get-ldap-data-failure-ldap-failover-doesn-t-work/m-p/570227#M2279 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/239962">@dramchandani</a></P> <P>&nbsp;</P> <P>to be honest I do not think that PA Firewall is built for this kind of health check. To address this use case, I would be looking into pointing Firewall to virtual IP address of load balancer and have load balancer to perform health LDAP check queries against LDAP servers. In this case load balancer could take out of service unhealthy server from the server pool.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;&nbsp;</P> Mon, 18 Dec 2023 12:19:37 GMT PavelK 2023-12-18T12:19:37Z https://live.paloaltonetworks.com/t5/next-generation-firewall/get-ldap-data-failure-ldap-failover-doesn-t-work/m-p/569814#M2267 <P>-I had two LDAP servers configured with a firewall, the primary LDAP server had an issue with high CPU and memory due to which the firewall lost the group membership though the firewall has L3 reachability.</P> <P>During the log analysis found that&nbsp;&nbsp;get-ldap-data-failure from Primary LDAP.&nbsp;</P> <P>We manually failed over the LDAP to a secondary one and this resolved the issue but the primary concern is how do we trigger a failover LDAP based on information being missing rather than just L3 reachability.&nbsp;</P> <P>In this case, Firewall was not losing any pings to Primary LDAP, it was just not getting the data at the right time.</P> <P>&nbsp;</P> Thu, 14 Dec 2023 03:08:19 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/get-ldap-data-failure-ldap-failover-doesn-t-work/m-p/569814#M2267 dramchandani 2023-12-14T03:08:19Z https://live.paloaltonetworks.com/t5/next-generation-firewall/get-ldap-data-failure-ldap-failover-doesn-t-work/m-p/570227#M2279 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/239962">@dramchandani</a></P> <P>&nbsp;</P> <P>to be honest I do not think that PA Firewall is built for this kind of health check. To address this use case, I would be looking into pointing Firewall to virtual IP address of load balancer and have load balancer to perform health LDAP check queries against LDAP servers. In this case load balancer could take out of service unhealthy server from the server pool.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;&nbsp;</P> Mon, 18 Dec 2023 12:19:37 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/get-ldap-data-failure-ldap-failover-doesn-t-work/m-p/570227#M2279 PavelK 2023-12-18T12:19:37Z https://live.paloaltonetworks.com/t5/next-generation-firewall/get-ldap-data-failure-ldap-failover-doesn-t-work/m-p/570271#M2280 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for responding, yes LB makes sense in this case.</P> <P>The other question I have is, why firewall will lose cached entry? The firewall has LDAP query timer configured as 60 minutes and after 60 min FW will fetch delta configuration from LDAP but in this case, the Firewall lost the complete group membership and there was not a single group entry, why would firewall lose all of the cached/learned entries?</P> Mon, 18 Dec 2023 20:08:23 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/get-ldap-data-failure-ldap-failover-doesn-t-work/m-p/570271#M2280 dramchandani 2023-12-18T20:08:23Z https://live.paloaltonetworks.com/t5/next-generation-firewall/get-ldap-data-failure-ldap-failover-doesn-t-work/m-p/570280#M2281 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/239962">@dramchandani</a></P> <P>&nbsp;</P> <P>thank you for reply.</P> <P>&nbsp;</P> <P>I see what you mean. Based on my past experience default LDAP query timer never failed me. I do not have answer for this. From your post it looks like you went pretty deep into troubleshooting, but just in case did you have a chance to review logs:&nbsp;tail mp-log authd.log to see what exactly happened?</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;</P> Mon, 18 Dec 2023 23:20:34 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/get-ldap-data-failure-ldap-failover-doesn-t-work/m-p/570280#M2281 PavelK 2023-12-18T23:20:34Z