LDAPS TLS Handshake Failure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LDAPS TLS Handshake Failure

L1 Bithead

Hello,

I upgraded one of our PA devices from 10.1.9 to 10.2.4-h4. LDAPS was configured to access and gather user's info from DC. But it stoped working after upgrade. I captured traffic and saw following error - TLS Handshake Failure. I know that starting version 10.2 Palo Alto Networks has changed requrements for certificates. I checked ours and looks like it meets minimal certifcate requerements (RSA2048, SHA256). Currently we use LDAP but I'd like to switch back to LDAPS.

I appreciate any help.

4 REPLIES 4

L4 Transporter

Hello M0tash,

 

Can you check the parameters of the certificate on the server side (LDAP server)?
Increase the security level of the certificate (for instance : number of bits to 4096 bits // digest SHA512) and check if this works.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

Hello Oliver,

Thank you for advice.

I've already checked the cert on the DC and also tried to replace it by stronger cert (RSA3072 | SHA384), but with no luck.Your advice I checked too. There is a difference: in case the DC uses RSA2048 or RSA3072 cert, the NGFW sends RST packet right after "Server Hello" message, in other case when it uses RSA4096 - the DC sends RST packet right after Client Hello message. I'm going to check if it related on Microsoft OS version.

DM

Hello M0tash, 

 

I did not ask, but your management interface is initiating the traffic to the LDAPS servers or you are using a service route?

If you use the management interface, is the traffic passing through a firewall doing some decryption?

 

It can be interesting to capture the communication if you're opening a case to TAC (or the TAC engineer can also do the capture too).

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

Hello Oliver,

I checked it on my test enviroment too. Mgmt interface is used for communication to DC, there is no configured service route for that. Mgmt interface and DC are in same subnet, there is no additional FWs between devices. Ok, I'll try to open TAC.

Thank you!

  • 1247 Views
  • 4 replies
  • 0 Likes
  • 38 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!