PanOS ldap issue

cancel
Showing results for 
Search instead for 
Did you mean: 

PanOS ldap issue

L0 Member

Hi

we are facing some issues on our 3220 fw 9.1.9 (same issue in 9.1.8)

 

ldap group membership sync is not working anymore

 

this 3220 Fw is our Lan FW

ldap server profile is correct

we can add correctly group in the user group mapping, AD tree is browsable

but groups are empty or  "does not exist or does not have member "

 

the fact is that we also have FW for Internet, with same ldap server profile, with same ldap server and same account

I add the same group, and it sees the membeship correctly

 

On our ActiveDirectro server, we can see this :

 2148074289 The client and server cannot communicate, because they do not possess a common algorithm. Internal ID: c05086b

with the Ip of the FW

within the trace, i can't see Server hello to find out which cypher is missing

 

Any help would be very appreciated !

 

Thank you very much 

 

4 REPLIES 4

L7 Applicator

seems odd that if the server and client cannot communicate with each other then how do you see the group in the first place...

 

also..

under user identification, server profile, check the domain settings and group objects are correct along with the user objects settings because although the group is visible, these are the settings that determine who is in that particular group.  so if the domain entry is wrong or has an extra space then it will not list any users.

 

and finally ... check that user and group attributes are the same as the other device that works correctly.

Cyber Elite
Cyber Elite

@Support_info,

I'd be looking to verify everything is actually correct within the configuration and the permissions of the service account if you are using a different account for both nodes. 

Cyber Elite
Cyber Elite

Hi @Support_info 

What do you mean with "ldap group membership sync is not working anymore"? Did it once work? If yes, did you change something or installed a new version? Are both firewalls running the same PAN-OS version?

Anyway even with the newest windows versions the ciphers shouldn't be a problem - as long as you did not manually disable some of them on the active directory server. Do you have the option configured, that the firewall verifies the servercertificate? If yes, do you have your issuing/root CA cert installed on both firewalls and also marked as trusted root or is this maybe only done on the internet firewall where the ldap sync is still working?

L0 Member

Hi

Yes, it was working fine for years

after some digging, we have another domain for a futur migration

on this domain, we have only a few group and a few users.

this domain is completly autonomous, no connexion with the actual domain. 

the only thing in common, is the PA 3220 as gateway for all subnets including the new domain

 

After adding a test group, we found that the pa3220 has discovered 2 users on 5 users in the AD group

and for the second added group, it says "does not exist or does not have members"

 

We can now eleminate an activedirectory issue, and narrow the issue to the FW

it seems that the fw filters ldap results

 

a case has been opened, waiting ...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!