https://live.paloaltonetworks.com/t5/general-topics/service-route-for-ldap/m-p/47238#M34720 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have implemented a Palo Alto without Management interface, only an Inside interface/zone and Outside interface/zone. I configured the service route configuration to use Inside IP address for updates, dns... (all service routes). Also I have configured the network routing (all the networks that has to be accessed from Inside IP address.</P><P></P><P>The problem is on ldap connection. When I configure the group mapping, I get an error because PaloAlto can not connect to ldap server.</P><P></P><P>My tests:</P><P></P><P>If I do a ping to ldap host, I get: From &lt;management IP&gt; icmp seq=X Destination host unrecheable. But If I do a ping with source Iniside IP address to ldap host I get response.</P><P></P><P>admin@PA-500&gt; show user group-mapping state all</P><P></P><P>Group Mapping(vsys1, type: e-directory): LDAP_userauth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Bind DN&nbsp;&nbsp;&nbsp; : cn=admin,o=esteve&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Base&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : ou=info,ou=intranet,o=esteve&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Group Filter: (None)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; User Filter: (None)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Servers&nbsp;&nbsp;&nbsp; : configured 1 servers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.20.0.181(636)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Last Action Time: 50 secs ago(took 3 secs)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Next Action Time: In 10 secs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Last LDAP error: Can't contact LDAP server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Number of Groups: 0</P><P></P><P></P><P>Could be that ldap connection is being started on management interface and the service routing for this service is not working?</P><P></P><P>Regards,</P></BODY></HTML> Tue, 12 Jun 2012 09:44:35 GMT david_rivas1 2012-06-12T09:44:35Z https://live.paloaltonetworks.com/t5/general-topics/service-route-for-ldap/m-p/47238#M34720 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have implemented a Palo Alto without Management interface, only an Inside interface/zone and Outside interface/zone. I configured the service route configuration to use Inside IP address for updates, dns... (all service routes). Also I have configured the network routing (all the networks that has to be accessed from Inside IP address.</P><P></P><P>The problem is on ldap connection. When I configure the group mapping, I get an error because PaloAlto can not connect to ldap server.</P><P></P><P>My tests:</P><P></P><P>If I do a ping to ldap host, I get: From &lt;management IP&gt; icmp seq=X Destination host unrecheable. But If I do a ping with source Iniside IP address to ldap host I get response.</P><P></P><P>admin@PA-500&gt; show user group-mapping state all</P><P></P><P>Group Mapping(vsys1, type: e-directory): LDAP_userauth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Bind DN&nbsp;&nbsp;&nbsp; : cn=admin,o=esteve&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Base&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : ou=info,ou=intranet,o=esteve&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Group Filter: (None)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; User Filter: (None)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Servers&nbsp;&nbsp;&nbsp; : configured 1 servers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 172.20.0.181(636)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Last Action Time: 50 secs ago(took 3 secs)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Next Action Time: In 10 secs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Last LDAP error: Can't contact LDAP server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Number of Groups: 0</P><P></P><P></P><P>Could be that ldap connection is being started on management interface and the service routing for this service is not working?</P><P></P><P>Regards,</P></BODY></HTML> Tue, 12 Jun 2012 09:44:35 GMT https://live.paloaltonetworks.com/t5/general-topics/service-route-for-ldap/m-p/47238#M34720 david_rivas1 2012-06-12T09:44:35Z https://live.paloaltonetworks.com/t5/general-topics/service-route-for-ldap/m-p/47239#M34721 <HTML><HEAD></HEAD><BODY><P>Hi David,</P><P></P><P>You need to specify a service route based on destination for ldap connections.</P><P></P><P>This can be done Device -&gt; Setup -&gt; Services -&gt; Service Route Configuration -&gt; set Destination(ldap server) and source Inside IP address</P><P></P><P>- Stefan</P></BODY></HTML> Tue, 12 Jun 2012 18:09:20 GMT https://live.paloaltonetworks.com/t5/general-topics/service-route-for-ldap/m-p/47239#M34721 sspringer 2012-06-12T18:09:20Z https://live.paloaltonetworks.com/t5/general-topics/service-route-for-ldap/m-p/47240#M34722 <HTML><HEAD></HEAD><BODY><P>I have configured a destination to the ldap network with the Internal Source addres. Shuld I add a destination to host (maks 32) instead a destination to the network?</P></BODY></HTML> Wed, 13 Jun 2012 08:15:12 GMT https://live.paloaltonetworks.com/t5/general-topics/service-route-for-ldap/m-p/47240#M34722 david_rivas1 2012-06-13T08:15:12Z https://live.paloaltonetworks.com/t5/general-topics/service-route-for-ldap/m-p/47241#M34723 <HTML><HEAD></HEAD><BODY><P>Unfortunately only a single IP Address can be specificed. There is no need to put /32 mask, just the IP address. For example: 172.24.7.50</P><P></P><P>Attached is sample screenshot.</P></BODY></HTML> Wed, 13 Jun 2012 16:32:43 GMT https://live.paloaltonetworks.com/t5/general-topics/service-route-for-ldap/m-p/47241#M34723 sspringer 2012-06-13T16:32:43Z