IDFW Active Directory Status: Displays as "Success"; however, LDAP servers show as "Down" under the connection status.

Products

VMware vDefend Firewall

Issue/Introduction

This article explains an issue where the NSX Identity Firewall (IDFW) displays the LDAP server connection status as "Down" despite successful LDAP communication. Even though the initial bind and authentication processes complete successfully, the NSX UI may report the following error: "The credentials were incorrect or the account specified has been locked. (Error code: 524007)" when adding an LDAP server to NSX, indicating a failure in connectivity verification. This discrepancy is often due to the way the Policy and Proton layers handle LDAP connectivity status.

Environment

VMware vDefend Firewall

Cause

You have verified the password is correct by successfully login to the LDAP server. Despite seeing successful LDAP responses, errors may appear due to miscommunication between the Policy and Proton layers. The LDAP credentials are confirmed to be correct, and the issue lies in the internal handling of calls between these two layers.

1. Inside the NSXT Manager /var/log/proton/policy-ui.log

 {"user":"admin","message":"Api Errors->","status":400,"statusText":"Bad Request","url":"https://engvpa-nsxlm/policy/api/v1/infra/firewall-identity-store-ldap-server?action=CONNECTIVITY","error_code":524007,"error_message":"Error: LDAP server 'x.x.x.x' connection failed during verification."}

2. Inside the NSXT Manager at /var/log/proton/nsxapi.log

2024-09-05T16:33:15.319Z ERROR http-nio-127.0.0.1-7440-exec-59 DirectoryServiceFacadeImpl INVENTORY [nsx@6876 comp="nsx-manager" errorCode="MP38519" level="ERROR"] LDAP server 'x.x.x.x' connection failed during verification, authentication failed with principal '******'.

3. Inside the NSXT Manager at /var/log/syslog/

2024-10-03T20:55:25.177Z WARN http-nio-127.0.0.1-7440-exec-3 NsxTRestClient 5412 POLICY [nsx@6876 comp="nsx-manager" level="WARNING" reqId="1db36881-3f00-4229-b58c-0628dca3ddc2" subcomp="manager" username="admin"] Authentication failure with NSX manager, will retry org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: "{"module_name":"common-services","error_message":"The credentials were incorrect or the account specified has been locked.","error_code":403}"

4. Proton localhost_access_log:

Shows two CONNECTIVITY checks, one with a 200 and another with a 400:

2024-10-03T20:55:25.154Z - "POST /nsxapi/api/v1/directory/ldap-server?action=CONNECTIVITY HTTP/1.1" 200 13 487 487 + 

2024-10-03T20:55:25.183Z - "POST /nsxapi/api/v1/infra/firewall-identity-store-ldap-server?action=CONNECTIVITY HTTP/1.1" 400 194 612 612

5. Proxy localhost_access_log:

Displays a 200 and two 403 status codes. The policy level succeeds and the Manager level API fails:

2024-10-03T20:55:24.570Z 127.0.0.1 - "POST /policy/api/v1/infra/firewall-identity-store-ldap-server?action=CONNECTIVITY HTTP/1.1" 200 - 0 0 

2024-10-03T20:55:25.176Z 127.0.0.1 - "POST /api/v1/directory/ldap-server?action=CONNECTIVITY HTTP/1.1" 403 141 0 0 2024-10-03T20:55:25.181Z 127.0.0.1 - "POST /api/v1/directory/ldap-server?action=CONNECTIVITY HTTP

Resolution

Workaround Steps:

To address connectivity issues immediately:

Add an incorrect credential for the LDAP Manager (LM) from the Active Global Manager (GM).
Re-add the correct credential for the site.
Navigate to the LM site from the GM (using the site-switcher) to check the LDAP Server status.