This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

get-ldap-data-failure - LDAP Failover doesn't work

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

get-ldap-data-failure - LDAP Failover doesn't work

dramchandani
L1 Bithead

‎12-13-2023 07:08 PM

-I had two LDAP servers configured with a firewall, the primary LDAP server had an issue with high CPU and memory due to which the firewall lost the group membership though the firewall has L3 reachability.

During the log analysis found that  get-ldap-data-failure from Primary LDAP. 

We manually failed over the LDAP to a secondary one and this resolved the issue but the primary concern is how do we trigger a failover LDAP based on information being missing rather than just L3 reachability. 

In this case, Firewall was not losing any pings to Primary LDAP, it was just not getting the data at the right time.

 

0 Likes Likes
3 REPLIES 3

PavelK
Cyber Elite
Cyber Elite

‎12-18-2023 04:19 AM

Hello @dramchandani

 

to be honest I do not think that PA Firewall is built for this kind of health check. To address this use case, I would be looking into pointing Firewall to virtual IP address of load balancer and have load balancer to perform health LDAP check queries against LDAP servers. In this case load balancer could take out of service unhealthy server from the server pool.

 

Kind Regards

Pavel  

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

dramchandani
L1 Bithead
In response to PavelK

‎12-18-2023 12:08 PM

Hello @PavelK 

 

Thanks for responding, yes LB makes sense in this case.

The other question I have is, why firewall will lose cached entry? The firewall has LDAP query timer configured as 60 minutes and after 60 min FW will fetch delta configuration from LDAP but in this case, the Firewall lost the complete group membership and there was not a single group entry, why would firewall lose all of the cached/learned entries?

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎12-18-2023 03:20 PM

Hello @dramchandani

 

thank you for reply.

 

I see what you mean. Based on my past experience default LDAP query timer never failed me. I do not have answer for this. From your post it looks like you went pretty deep into troubleshooting, but just in case did you have a chance to review logs: tail mp-log authd.log to see what exactly happened?

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 826 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks