This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
ChrisPeterson
Contributor
Contributor
‎2022-11-29 02:49 PM

Authentication Manager replica appliance random LDAP errors

Jump to solution

We have 2 authentication manager appliances configured. One in our production data center, the other in our DR data center. This has worked well for years.

A couple of months back the replica started sending the following alert via email: Attention! The following critical system event occurred: Failed to connect to LDAP Identity Source (domain controller name)

This is a sporadic event happening throughout the day. I cannot pin it down to a specific time nor anticipate it. It does occasionally cause users to have trouble logging in if they are being serviced by the replica instance and it is having these issues. We receive 2 copies of the email with the error in it each time it happens then it starts working again.

The appliance is installed on a vSphere cluster. I've positioned both the appliance and our domain controller on the same host and still see this issue. I contacted support and they insist it is a network issue but I'm not sure how to troubleshoot this further. They were not helpful at all.

Can we run packet captures on the appliance to the domain controller? 

Looking for any advice here. There's no firewalls between the servers. Again running on the same hardware host. The only thing I can think of is that maybe packets are getting dropped when the traffic traverses the switch?

Labels (2)
0 Likes
Reply
1 Solution

Accepted Solutions
EricaChalfin
Moderator Moderator
Moderator
‎2022-11-29 04:49 PM

Jump to solution

@ChrisPeterson,

Try reversing the LDAP servers Directory URL with the Directory Failover URL in the Operations Console Identity Source Properties page. Do you still see the error? If so, it is most likely an issue with the domain controller, DNS* or another network issue. Also try switching from the URL to IP address if the issue presents again. If you are still seeing the error, please open a case with support for more detailed troubleshooting.

 

*It is always DNS 💀


Best regards,
Erica

View solution in original post

0 Likes
Reply
3 Replies
EricaChalfin
Moderator Moderator
Moderator
‎2022-11-29 04:49 PM

Jump to solution

@ChrisPeterson,

Try reversing the LDAP servers Directory URL with the Directory Failover URL in the Operations Console Identity Source Properties page. Do you still see the error? If so, it is most likely an issue with the domain controller, DNS* or another network issue. Also try switching from the URL to IP address if the issue presents again. If you are still seeing the error, please open a case with support for more detailed troubleshooting.

 

*It is always DNS 💀


Best regards,
Erica
0 Likes
Reply
ChrisPeterson
Contributor
Contributor
In response to EricaChalfin
‎2022-11-30 10:49 AM

Jump to solution

@EricaChalfin 

We were getting the error from both DNS servers before and I had removed the secondary as it was pointed at our production site. So I wasn't sure if it was something over the WAN causing an issue. Keep in mind we've had this working for years without issue so I didn't think to try to use the IP instead of the FQDN for the domain controller. So last night I switched to the IP address of the domain controller for LDAP and not a single error message since. I'll take that as a win and thank you for the suggestion!

No idea why DNS would suddenly start giving us issues with this. And yes, it's usually DNS!

Reply
DavidAllison
Respected Contributor Respected Contributor
Respected Contributor
‎2023-01-05 09:55 AM

Jump to solution

One other thing to check is connectivity at the replica itself.  When you go to the Primary Ops Console and validate the connection config, it only tests from the Primary, even when you click on the replica config button.  If you go to the OC of the replica, you can't configure AD but you can test it.

And for the very reasons mentioned above, I always use IP addresses instead of hostnames for AD, because if you lose DNS you lose everything.

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.