Frequent "Connectivtiy to LDAP Server Lost" alarms present in NSX-T UI when multiple LDAPS are configured
search cancel

Frequent "Connectivtiy to LDAP Server Lost" alarms present in NSX-T UI when multiple LDAPS are configured

book

Article ID: 375512

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

  • You are using an NSX-T version prior 4.2 release.
  • You have configured multiple Domains/LDAPs servers for Identity firewall.
    • You are using LDAPs as the connection protocol instead of LDAP.
  • You experience frequent "Connectivity to LDAP Server Lost" alarms in the NSX-T UI.

  • You observe that there is no connectivity issue when you "Check Connectivity" in the UI under section System --> Identity Firewall

  • You observe similar logging and exceptions on the NSX-T manager in /var/log/proton/nsxapi.log

2024-06-21T12:32:12.969Z  WARN LdapSyncTask SimpleConnector 2233895 INVENTORY [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Exception stack:
javax.naming.CommunicationException: DC.test.local:636
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:243) ~[?:1.8.0_362]
        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) ~[?:1.8.0_362]
        at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615) ~[?:1.8.0_362]
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2849) ~[?:1.8.0_362]
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347) ~[?:1.8.0_362]
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:225) ~[?:1.8.0_362]
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189) ~[?:1.8.0_362]
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:243) ~[?:1.8.0_362]
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) ~[?:1.8.0_362

2024-06-21T12:32:12.970Z WARN LdapSyncTask LdapSyncContext 2233895 INVENTORY [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Cannot connect to DC.test.local, try next.
com.vmware.nsx.management.directory.exceptions.DirectoryLdapConnectException: javax.naming.CommunicationException: DC.test.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: dc6465ad876e0b9c26958dee26c942940617df230716adc86cfa76181bbb37c5]
        at com.vmware.nsx.management.directory.synchronization.SimpleConnector.internalConnect(SimpleConnector.java:79) ~[?:?]
        at com.vmware.nsx.management.directory.synchronization.AbstractLdapConnector.connect(AbstractLdapConnector.java:135) ~[?:?]
        at com.vmware.nsx.management.directory.synchronization.CompositeConnector.connect(CompositeConnector.java:36) ~[?:?]
        at com.vmware.nsx.management.directory.synchronization.LdapSyncContext.connect(LdapSyncContext.java:916) ~[?:?]
        at com.vmware.nsx.management.directory.synchronization.LdapSyncContext.initConnection(LdapSyncContext.java:498) ~[?:?]
        at com.vmware.nsx.management.directory.synchronization.LdapSyncContext.internalRun(LdapSyncContext.java:652) ~[?:?]
        at com.vmware.nsx.management.directory.processor.SingleThreadProcessor.run(SingleThreadProcessor.java:57) ~[?:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_362]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_362]
        at java.lang.Thread.run(Thread.java:750) ~[?:1.8.0_362]

  • You observe a thumbprint mismatch and concurrent connections on the NSX-T Manager in /var/log/proton/nsxapi.log

2024-06-21T12:32:12.965Z INFO LdapSyncTask AbstractLdapConnector 5071 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Simple Connector start to connect to: DC.test.local:636 (LDAPS)
2024-06-21T12:37:12.957Z INFO LdapSyncTask AbstractLdapConnector 5071 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Simple Connector start to connect to: DC.test.local:636 (LDAPS)
2024-06-21T12:37:12.957Z INFO LdapSyncTask AbstractLdapConnector 5071 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Simple Connector start to connect to: DC02.test.local.pl:636 (LDAPS)

Caused by: com.vmware.nsx.management.security.ThumbprintMismatchException: fb810012595951f22528fd1b6a9706251d288458f75643dadab24d510f263cf7
        at com.vmware.nsx.management.security.NsxTrustManager.checkThumbprintTrusted(NsxTrustManager.java:431) ~[nsx-trustmanager-1.0.jar:?]
        at com.vmware.nsx.management.security.NsxTrustManager._checkServerTrusted(NsxTrustManager.java:298) ~[nsx-trustmanager-1.0.jar:?]
        at com.vmware.nsx.management.security.NsxTrustManager.checkServerTrusted(NsxTrustManager.java:259) ~[nsx-trustmanager-1.0.jar:?]
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1258) ~[?:1.8.0_362]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:1.8.0_362]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:1.8.0_362]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:1.8.0_362]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) ~[?:1.8.0_362]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:1.8.0_362]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[?:1.8.0_362]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:1.8.0_362]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) ~[?:1.8.0_362]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397) ~[?:1.8.0_362]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305) ~[?:1.8.0_362]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) ~[?:1.8.0_362]
        at com.sun.jndi.ldap.Connection.createSocket(Connection.java:398) ~[?:1.8.0_362]
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:220) ~[?:1.8.0_362]
 

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment

Environment

VMware NSX-T Data Center 3.X

Vmware NSX-T Data Center 4.X

Cause

The connectivity is caused due to a race condition when the NSX-T Manager tries to sync with multiple Domain controllers at one time using LDAPs.

Resolution

This issue is resolved in future releases of NSX-T.

Workaround:

To avoid the race condition the LDAP server sync intervals need to be spaced out using prime numbers to avoid a concurrent connection.

Powered by Wolken Software