Unable to join ProxySG or ASG to domain with error "NERR_DCNotFound"

book

Article ID: 170339

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The ProxySG or Advanced Secure Gateway(ASG) is unable to join the Active Directory(AD) domain after upgrading to SGOS versions 6.5.10.6, 6.6.5.5, 6.7.2.1 or higher.

"NERR_DCNotFound" error would popup upon joining domain.

Cause

Current versions of ProxySG or ASG will contact Domain Controllers (DCs) in the local AD. This feature is called "site awareness". Site awareness was added to avoid any network related issues between sites when contacting to remote DCs which would result in performance problems. If the site has only a Read-Only Domain Controller, the ProxySG would contact the Read-Only DC as it also belongs to the same local AD site as the ProxySG.  Joining the ProxySG or ASG to the domain would then fail since Read-Write DCs are required, but not available locally.

Earlier SGOS versions would worked because the ProxySG or ASG would contact remote DCs in addition to local DCs during joining process.

Resolution

In SGOS versions 6.5.10.8, 6.6.5.13, 6.7.3.11 and 6.7.4.107, and later introduce a parameter to toggle site awareness behavior now present in previous SGOS versions in order to allow the ProxySG or ASG to join remote domains if required.

From the CLI:

en
conf t
security windows-domains
site-aware disable

By default site awareness is enabled that is, the ProxySG or ASG would query only local DCs from a specific Active Directory Site. However once site awareness is disabled, the ProxySG or ASG would revert to previous behavior and query all sites for DCs during joining process which would alleviate this issue.

A workaround would be to downgrade to SGOS 6.5.10.3 or SGOS 6.6.5.4 and below. Another would be to introduce a Read-Write DC to the local site.