08-21-2016 08:11 PM
Hi,
No changes on Firewall or LDAP server side. All of a sudden noticed for some virtual systems, LDAP server connection failed.
The LDAP is configured correctly and we have the read permissions for everything in AD user.
Errors in usridd.log:
2016-08-22 10:50:34.768 +1000 connecting to ldap://[192.168.12.16]:636 with StartTLS...
2016-08-22 10:50:34.772 +1000 Error: pan_ldap_init_ex(pan_ldap.c:249): start_tls_s return(-1) : Can't contact LDAP server
2016-08-22 10:50:34.772 +1000 connecting to ldaps://[192.168.12.16]:636 ...
2016-08-22 10:50:34.778 +1000 Error: pan_ldap_init_ex(pan_ldap.c:253): install_tls return(-11) : Connect error
2016-08-22 10:50:34.778 +1000 Error: pan_user_get_ldap(pan_group_selection_n.c:74): pan_ldap_init(192.168.12.16, 636) failed: Connect error
Any idea what is it indicating?
Regards
Farzana
08-31-2016 03:47 PM
Hello,
Issue is resolved by unchecking the SSL box, committing, then checking the SSL box and committing again.
Thanks
Farzana
08-22-2016 02:24 AM
have you tried disabling SSL on the ldap profile ?
try increasing the debug level:
> debug user-id on debug > debug user-id set ldap all
this may provide you with more details
don't forget to unset debugging after you're done:
> debug user-id unset all > debug user-id on info
08-31-2016 03:47 PM
Hello,
Issue is resolved by unchecking the SSL box, committing, then checking the SSL box and committing again.
Thanks
Farzana
09-27-2016 02:12 AM
i have the same messages:
2016-09-27 11:02:39.493 +0200 connecting to ldap://[XXXXXX.domain.com]:636 with StartTLS...
2016-09-27 11:02:39.496 +0200 Error: pan_ldap_init_ex(pan_ldap.c:249): start_tls_s return(-1) : Can't contact LDAP server
2016-09-27 11:02:39.496 +0200 connecting to ldaps://[XXXXXX.domain.com]:636 ...
2016-09-27 11:02:39.609 +0200 ldap cfg Pan_Grp connected to XXXXXX.domain.com:636(index 0)
looks like, it tries to connect with normal LDAP:636 and then successfully with LDAPS:636. LDAP:636 will not work...
Checkbox "SSL required" is checked and it still tries LDAP:636 first...
09-27-2016 03:44 PM
Hi Hithead,
We opened a support case for this and now it is escalated to their engineering team. PAN support has suggested to upgrade to 7.0.10 and see if it addresses the issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
