06-03-2021 07:25 AM
Hi
we are facing some issues on our 3220 fw 9.1.9 (same issue in 9.1.8)
ldap group membership sync is not working anymore
this 3220 Fw is our Lan FW
ldap server profile is correct
we can add correctly group in the user group mapping, AD tree is browsable
but groups are empty or "does not exist or does not have member "
the fact is that we also have FW for Internet, with same ldap server profile, with same ldap server and same account
I add the same group, and it sees the membeship correctly
On our ActiveDirectro server, we can see this :
2148074289 The client and server cannot communicate, because they do not possess a common algorithm. Internal ID: c05086b
with the Ip of the FW
within the trace, i can't see Server hello to find out which cypher is missing
Any help would be very appreciated !
Thank you very much
06-03-2021 07:37 AM
seems odd that if the server and client cannot communicate with each other then how do you see the group in the first place...
also..
under user identification, server profile, check the domain settings and group objects are correct along with the user objects settings because although the group is visible, these are the settings that determine who is in that particular group. so if the domain entry is wrong or has an extra space then it will not list any users.
and finally ... check that user and group attributes are the same as the other device that works correctly.
06-03-2021 08:31 AM
I'd be looking to verify everything is actually correct within the configuration and the permissions of the service account if you are using a different account for both nodes.
06-03-2021 08:57 AM
What do you mean with "ldap group membership sync is not working anymore"? Did it once work? If yes, did you change something or installed a new version? Are both firewalls running the same PAN-OS version?
Anyway even with the newest windows versions the ciphers shouldn't be a problem - as long as you did not manually disable some of them on the active directory server. Do you have the option configured, that the firewall verifies the servercertificate? If yes, do you have your issuing/root CA cert installed on both firewalls and also marked as trusted root or is this maybe only done on the internet firewall where the ldap sync is still working?
06-08-2021 07:51 AM
Hi
Yes, it was working fine for years
after some digging, we have another domain for a futur migration
on this domain, we have only a few group and a few users.
this domain is completly autonomous, no connexion with the actual domain.
the only thing in common, is the PA 3220 as gateway for all subnets including the new domain
After adding a test group, we found that the pa3220 has discovered 2 users on 5 users in the AD group
and for the second added group, it says "does not exist or does not have members"
We can now eleminate an activedirectory issue, and narrow the issue to the FW
it seems that the fw filters ldap results
a case has been opened, waiting ...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
