This is a known issue impacting NSX-T data center.
Workaround:
You can remove the LDAP(S) configuration and re-add it again, so that in this instance, DNS will rescan and find the correct and current IP addresses for all LDAP(S) server.
If you are unable to remove LDAP(S), you can use the following procedure.
As root on each NSX-T manager, do the following one manager at a time:
- Confirm if the file '/etc/iptables/nsx-saved-iptables.v4rules' exists, if it does not exist do the following:
- iptables-save > /etc/iptables/nsx-saved-iptables.v4rules
- Then continue with the following:
- vi /etc/iptables/nsx-saved-iptables.v4rules
- Add the following two rules at the end of the file, but before the COMMIT line:
- -A OUTPUT -d <LDAP-SERVER-IP-CIDR> -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 111 -j ACCEPT
- -A OUTPUT -d <LDAP-SERVER-IP-CIDR> -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 113 -j ACCEPT
- Save and quit from the file.
- Note: <LDAP-SERVER-IP-CIDR> is the IP address for each LDAP server. You can either add the subnet for the LDAP servers or each LDAP server needs to be added.
- Example for individual LDAP server:
- -A OUTPUT -d 192.168.110.10/32 -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 111 -j ACCEPT
- -A OUTPUT -d 192.168.110.10/32 -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 113 -j ACCEPT
- -A OUTPUT -d 192.168.110.11/32 -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 111 -j ACCEPT
- -A OUTPUT -d 192.168.110.11/32 -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 113 -j ACCEPT
- And below is a sample for a subnet:
- -A OUTPUT -d 10.0.0.0/8 -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 111 -j ACCEPT
- -A OUTPUT -d 10.0.0.0/8 -o eth0 -p tcp -m tcp --dport 389 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 113 -j ACCEPT
- Run
- service set-iptables restart
- To confirm the new rules have been loaded:
- iptables -L -n | grep 389
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Note: If using LDAPS please replace port 389 above with port 636.