https://live.paloaltonetworks.com/t5/general-topics/ldap-not-work-if-management-interface-ip-address-cannot-reach/m-p/221867#M63840 <P>Configuration as below</P><P>&nbsp;</P><P>1. Mangement interface with IP 192.168.1.2 (non-PA device as gateway)</P><P>2. Windows AD with IP 172.16.1.2 (PA device layer3 interface as gateway)</P><P>3. Subnet 192.168.1.0/24 and 172.16.1.0/24 cannot reach each other</P><P>&nbsp;</P><P>With correct LDAP config (LDAP IP, Port, Base DN, etc.). Go to "Device &gt; User Identification &gt; Group Mapping Settings &gt; Group Include List". When expand the AD Users and Computers list always show failed to connect to the AD server.</P><P>&nbsp;</P><P>After I change the management interface IP to the same subnet of Windows AD or set route to allow communication between the 2 subnet. The problem gone.</P><P>&nbsp;</P><P>Is this the product restriction or did I miss something?</P> Thu, 12 Jul 2018 03:10:59 GMT jeremylo 2018-07-12T03:10:59Z https://live.paloaltonetworks.com/t5/general-topics/ldap-not-work-if-management-interface-ip-address-cannot-reach/m-p/221867#M63840 <P>Configuration as below</P><P>&nbsp;</P><P>1. Mangement interface with IP 192.168.1.2 (non-PA device as gateway)</P><P>2. Windows AD with IP 172.16.1.2 (PA device layer3 interface as gateway)</P><P>3. Subnet 192.168.1.0/24 and 172.16.1.0/24 cannot reach each other</P><P>&nbsp;</P><P>With correct LDAP config (LDAP IP, Port, Base DN, etc.). Go to "Device &gt; User Identification &gt; Group Mapping Settings &gt; Group Include List". When expand the AD Users and Computers list always show failed to connect to the AD server.</P><P>&nbsp;</P><P>After I change the management interface IP to the same subnet of Windows AD or set route to allow communication between the 2 subnet. The problem gone.</P><P>&nbsp;</P><P>Is this the product restriction or did I miss something?</P> Thu, 12 Jul 2018 03:10:59 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-not-work-if-management-interface-ip-address-cannot-reach/m-p/221867#M63840 jeremylo 2018-07-12T03:10:59Z https://live.paloaltonetworks.com/t5/general-topics/ldap-not-work-if-management-interface-ip-address-cannot-reach/m-p/221882#M63844 <P>By default ldap service is on management interface. Go to device, setup, services and change the default to an interface that can route to your AD network.</P> Thu, 12 Jul 2018 06:19:04 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-not-work-if-management-interface-ip-address-cannot-reach/m-p/221882#M63844 Mick_Ball 2018-07-12T06:19:04Z https://live.paloaltonetworks.com/t5/general-topics/ldap-not-work-if-management-interface-ip-address-cannot-reach/m-p/221883#M63845 <P>Thanks MickBall. Customize service route configuration solve the probem.</P> Thu, 12 Jul 2018 06:36:44 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-not-work-if-management-interface-ip-address-cannot-reach/m-p/221883#M63845 jeremylo 2018-07-12T06:36:44Z