Cannot integrate with AD Server

cancel
Showing results for 
Search instead for 
Did you mean: 

Cannot integrate with AD Server

L1 Bithead

I am trying to integrate PA firewall with newly installed Active Directory server (windows server 2019) but it is not connecting.  I get the error Failed to connect to 10.x.x.x(10.x.x.x):389 and the server monitoring status says host unreachable.  The group mapping, group include list does not populate as the firewall has not made connection yet.  Multiple hosts can ping the server successfully, so it is reachable.

 

I have reinstalled and reconfigured the AD server and also tried with a new server 2016 but get the same error.  I have used this configuration before with server 2019 and it connected without any issues.  However, this time I do have IPSec and Globalprotect tunnels running and a few other security policies and all of that is working fine.

 

I have checked everything but can’t find what could be wrong.  Is a security policy/rule required for the user-id agent? The user ID I created is a member of Event Log Readers, Distributed COM Users and Server Operators.  There is already traffic to and from the AD server before trying to setup AD.  Any help is appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

I fixed this by pointing the service route for the user-id agent and ldap to the internal/trusted interface instead of the management interface.  The server is connected now and is working.

 

Thanks

View solution in original post

3 REPLIES 3

L3 Networker

The connection is done via the management plane, if you are able to ssh into the box you can try "ping host 10.x.x.x" command to ensure there is connectivity. If you aren't getting ping, then I would recommend looking into your security profiles with the "test policy match" button at the bottom of the ruleset.

 

Check the box to ensure it parses through all rules until first allow rule. This way you should be able to see which zones the traffic is traversing (ensuring we aren't moving down the tunnel). 

 

Are you using a terminal agent, or are you doing userID agentless? 

NW

Thanks for your assistance with this.

I am using userID agentless

 

I can ssh to the PA and ping the AD server 10.x.x.x using:

ping source <192.x.x.x – management IP> host 10.x.x.x – AD server IP>

ping source <10.x.x.x – management internal/trust IP> host 10.x.x.x – AD server IP>

The server can also ping the PA

 

Check the box to ensure it parses through all rules until first allow rule. This way you should be able to see which zones the traffic is traversing (ensuring we aren't moving down the tunnel). 

 

I suspect the solution lies in here.  Any easier way to do this test from the GUI?  My experience is not great and I am not using Panorama like the documentation describes.  Any specific “Allow” rule I need to apply to explicitly allow access either to the AD server or to the userID agentless account?

I fixed this by pointing the service route for the user-id agent and ldap to the internal/trusted interface instead of the management interface.  The server is connected now and is working.

 

Thanks

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!