[VMC on AWS] LDAPS may stop working after upgrading to SDDC version 1.22
Article ID: 323284
Updated On:
Products
VMware Cloud on AWS
VMware NSX
Issue/Introduction
- LDAPS (port 636) is not working after upgrading NSX to version 4.1.0.
- Following error is generated when readding LDAPS
- "Error: Unable to obtain server certificate. Communication error. Verify that the IP address/hostnam, port, and other parameters are correct. (Error code: 53000).
- LDAP (port 389) will continue to work.
- From NSX manager connection to LDAP server on port 636 is successful.
- nc -vz <ldap> 636
- Packet capture on NSX manager, while running connection status check from NSX manager UI, shows connection reset from LDAP server.
Environment
VMware NSX 4.1.0
Cause
The issue happens because of change in cipher suites used by NSX 4.1 in Client Hello. In version 4.1 NSX manager sends only two cipher suites in Client Hello packet. If the LDAP server does not support those cipher suites then it resets the connection. To make the connection more secure some cipher suites were removed in this version.
Client Hello sent from NSX manager version 4.1. It is using only two cipher suites.
Client Hello sent from NSX manager version 4.1. It is using only two cipher suites.
Resolution
Upgrade the LDAP server to support the cipher suite. If you experience continued issues please contact Broadcom Support.
Feedback
Yes
No
Powered by
