[VMC on AWS] LDAPS may stop working after upgrading to SDDC version 1.22
search cancel

[VMC on AWS] LDAPS may stop working after upgrading to SDDC version 1.22

book

Article ID: 323284

calendar_today

Updated On:

Products

VMware NSX Networking VMware Cloud on AWS

Issue/Introduction

Symptoms:
  • LDAPS (port 636) is not working after upgrading NSX to version 4.1.0.
  • Following error is generated when readding LDAPS
    • "Error: Unable to obtain server certificate. Communication error. Verify that the IP address/hostnam, port, and other parameters are correct. (Error code: 53000).
  • LDAP (port 389) will continue to work.
  • From NSX manager connection to LDAP server on port 636 is successful.
    • nc -vz <ldap> 636
  • Packet capture on NSX manager, while running connection status check from NSX manager UI, shows connection reset from LDAP server.
image.png

Environment

VMware NSX 4.1.0

Cause

The issue happens because of change in cipher suites used by NSX 4.1 in Client Hello. In version 4.1 NSX manager sends only two cipher suites in Client Hello packet. If the LDAP server does not support those cipher suites then it resets the connection. To make the connection more secure some cipher suites were removed in this version.

Client Hello sent from NSX manager version 4.1. It is using only two cipher suites.
image.png

Resolution

Upgrade the LDAP server to support the cipher suite.  If you experience continued issues please open a Support Request with VMware for assistance.