[VMC on AWS] LDAPS may stop working after upgrading to SDDC version 1.22
book
Article ID: 323284
calendar_today
Updated On:
Products
VMware Cloud on AWSVMware NSX
Issue/Introduction
LDAPS (port 636) is not working after upgrading NSX to version 4.1.0.
Following error is generated when readding LDAPS
"Error: Unable to obtain server certificate. Communication error. Verify that the IP address/hostnam, port, and other parameters are correct. (Error code: 53000).
LDAP (port 389) will continue to work.
From NSX manager connection to LDAP server on port 636 is successful.
nc -vz <ldap> 636
Packet capture on NSX manager, while running connection status check from NSX manager UI, shows connection reset from LDAP server.
Environment
VMware NSX 4.1.0
Cause
The issue happens because of change in cipher suites used by NSX 4.1 in Client Hello. In version 4.1 NSX manager sends only two cipher suites in Client Hello packet. If the LDAP server does not support those cipher suites then it resets the connection. To make the connection more secure some cipher suites were removed in this version.
Client Hello sent from NSX manager version 4.1. It is using only two cipher suites.
Resolution
Upgrade the LDAP server to support the cipher suite. If you experience continued issues please contact Broadcom Support.