https://live.paloaltonetworks.com/t5/general-topics/can-t-contact-ldap-server-connect-error/m-p/109540#M45011 <P>Hello,</P><P>&nbsp;</P><P>Issue is resolved by&nbsp;<SPAN>unchecking the SSL box, committing, then checking the SSL box and committing again.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P><P><SPAN>Farzana</SPAN></P> Wed, 31 Aug 2016 22:47:30 GMT Farzana 2016-08-31T22:47:30Z https://live.paloaltonetworks.com/t5/general-topics/can-t-contact-ldap-server-connect-error/m-p/105063#M44733 <P>Hi,</P><P>&nbsp;</P><P><SPAN>No changes on Firewall or LDAP server side. All of a sudden noticed&nbsp;for some virtual systems, LDAP server connection failed.</SPAN></P><P>The <SPAN class="lia-search-match-lithium">LDAP</SPAN> is configured correctly and we have the read permissions for everything in AD user.&nbsp;<BR /><SPAN>Errors in usridd.log:</SPAN></P><P>&nbsp;</P><P><SPAN>2016-08-22 10:50:34.768 +1000 connecting to ldap://[192.168.12.16]:636 with StartTLS...</SPAN></P><P><SPAN>2016-08-22 10:50:34.772 +1000 Error:&nbsp; pan_ldap_init_ex(pan_ldap.c:249): start_tls_s return(-1) : Can't contact LDAP server</SPAN></P><P><SPAN>2016-08-22 10:50:34.772 +1000 connecting to ldaps://[192.168.12.16]:636 ...</SPAN></P><P><SPAN>2016-08-22 10:50:34.778 +1000 Error:&nbsp; pan_ldap_init_ex(pan_ldap.c:253): install_tls return(-11) : Connect error</SPAN></P><P><SPAN>2016-08-22 10:50:34.778 +1000 Error:&nbsp; pan_user_get_ldap(pan_group_selection_n.c:74): pan_ldap_init(192.168.12.16, 636) failed: Connect error</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>Any idea what is it indicating?</P><P>&nbsp;</P><P>Regards</P><P>Farzana</P> Mon, 22 Aug 2016 03:11:44 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-contact-ldap-server-connect-error/m-p/105063#M44733 Farzana 2016-08-22T03:11:44Z https://live.paloaltonetworks.com/t5/general-topics/can-t-contact-ldap-server-connect-error/m-p/105189#M44739 <P>have you tried disabling SSL on the ldap profile ?</P> <P>&nbsp;</P> <P>try increasing the debug level:</P> <PRE>&gt; debug user-id on debug &gt; debug user-id set ldap all</PRE> <P>this may provide you with more details</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>don't forget to unset debugging after you're done:</P> <PRE>&gt; debug user-id unset all &gt; debug user-id on info</PRE> Mon, 22 Aug 2016 09:24:23 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-contact-ldap-server-connect-error/m-p/105189#M44739 reaper 2016-08-22T09:24:23Z https://live.paloaltonetworks.com/t5/general-topics/can-t-contact-ldap-server-connect-error/m-p/109540#M45011 <P>Hello,</P><P>&nbsp;</P><P>Issue is resolved by&nbsp;<SPAN>unchecking the SSL box, committing, then checking the SSL box and committing again.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P><P><SPAN>Farzana</SPAN></P> Wed, 31 Aug 2016 22:47:30 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-contact-ldap-server-connect-error/m-p/109540#M45011 Farzana 2016-08-31T22:47:30Z https://live.paloaltonetworks.com/t5/general-topics/can-t-contact-ldap-server-connect-error/m-p/116114#M45458 <P>i have the same messages:</P><P>&nbsp;</P><P>2016-09-27 11:02:39.493 +0200 connecting to ldap://[XXXXXX.domain.com]:636 with StartTLS...<BR />2016-09-27 11:02:39.496 +0200 Error: pan_ldap_init_ex(pan_ldap.c:249): start_tls_s return(-1) : Can't contact LDAP server<BR />2016-09-27 11:02:39.496 +0200 connecting to ldaps://[XXXXXX.domain.com]:636 ...<BR />2016-09-27 11:02:39.609 +0200 ldap cfg Pan_Grp connected to XXXXXX.domain.com:636(index 0)</P><P>&nbsp;</P><P>looks like, it tries to connect with normal LDAP:636 and then successfully with LDAPS:636.&nbsp; LDAP:636 will not work...</P><P>Checkbox "SSL required" is checked and it still tries LDAP:636 first...</P> Tue, 27 Sep 2016 09:12:10 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-contact-ldap-server-connect-error/m-p/116114#M45458 Hithead 2016-09-27T09:12:10Z https://live.paloaltonetworks.com/t5/general-topics/can-t-contact-ldap-server-connect-error/m-p/116252#M45475 <P>Hi Hithead,</P><P>&nbsp;</P><P>We opened a support case for this and now it is escalated to their engineering team. PAN support has suggested to upgrade to 7.0.10 and see if it addresses the issue.</P> Tue, 27 Sep 2016 22:44:12 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-contact-ldap-server-connect-error/m-p/116252#M45475 Farzana 2016-09-27T22:44:12Z