LDAPS does not work with NSX 4.1.0 or above
search cancel

LDAPS does not work with NSX 4.1.0 or above

book

Article ID: 322433

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • NSX is installed in version 4.1.0 or above.
  • LDAPS (default port 636) or LDAP with StartTLS does not work.
  • After adding LDAPS in the VMware NSX UI (or re-adding, for existing implementations), the following error may be observed in the logs (/var/log/proton/policy-ui.log, /var/log/syslog or /var/log/proton/nsxapi.log)
    Error: Unable to obtain server certificate. Communication error. Verify that the IP address/hostname, port, and other parameters are correct. (Error code: 53000)
  • If Identity firewall (IDFW) is configured, it may have stopped working and the LDAP server configured for IDFW status is shown as DOWN.
  • LDAP (port 389) is not affected.
  • From NSX Manager connection to LDAPS server on port 636 is successful: 
    nc -vz <ldaps-server> 636
  • Packet capture on NSX Manager, while running connection status check from NSX manager UI, shows connection reset from LDAP server.
  • LDAP authentication might work but using the Check Status button while configuring the LDAP server fails.

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX 4.x

Cause

This behaviour is observed due to the older, insecure TLS cipher suites being disabled in NSX 4.1 and above. If the LDAP server is an older version that does not support the more secure cipher suites that NSX uses, connections may fail. LDAP servers must also support at least TLS version 1.2, or connections will fail. TLS versions 1.1 and earlier are now considered insecure and NSX does not support them by default.
  • IDFW uses the proton service for connections and this issue can therefore lead to issues with IDFW.
  • User login/logout events do not user proton, but a separate service and are not affected by the cipher suite change.
  • LDAP server connection status uses the proton service and is therefore impacted by the cipher suite change.

Resolution

This is a condition that may occur in a VMware NSX environment.

Workaround:

  • Ensure the LDAPS, or LDAP with the StartTLS server, uses a supported secure cipher suite as listed below.

If you believe you have encountered this issue and are unable to upgrade the LDAPS or LDAP with StartTLS server cipher suite at this time, please open a support case with Broadcom Support and refer to this KB article.
For more information, see Creating and managing Broadcom support cases.

Additional Information

Cipher suites now used by VMware NSX 4.1 and above:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384


Cipher suites used by previous versions of VMware NSX:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256

The below packet capture shows the client hello from VMware NSX manager sending the two cipher suites:

Powered by Wolken Software