LDAP synchronization failure with connection reset error
search cancel

LDAP synchronization failure with connection reset error

book

Article ID: 380312

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

A Full or Delta LDAP sync fails with UI connection reset.

 

The nsxapi.log shows that the synchronization process starts and never progresses past step "1: waiting for DirectoryGroupMemberProcessor to finish" 

$ grep DirectoryGroupMemberSyncProcessor var/log/proton/nsxapi.1.log
2024-10-01T18:13:09.309Z  INFO ActivityWorkerPool-1-15 DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] stop sync processor [Group-Member]: DirectoryGroupMemberSyncProcessor@4c2a51ca
2024-10-01T18:13:09.309Z  INFO ActivityWorkerPool-1-15 DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] 1: stop group-member processor: DirectoryGroupMemberObjectProcessor@1c3cfc66
2024-10-01T18:13:09.309Z  INFO ActivityWorkerPool-1-15 DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] 2: stop group-member processor: DirectoryGroupMemberObjectProcessor@2fe4e75c
2024-10-01T18:13:14.309Z  INFO ActivityWorkerPool-1-15 DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] 3: stop group-member processor: DirectoryGroupMemberObjectProcessor@12f43192
2024-10-01T18:13:14.310Z ERROR LdapSyncTask DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" errorCode="MP38005" level="ERROR" subcomp="manager"] Error happened in GroupMemberProcessor thread. Not all groupMember got synchronized.
        at com.vmware.nsx.management.directory.synchronization.DirectoryGroupMemberSyncProcessor.process(DirectoryGroupMemberSyncProcessor.java:143) ~[?:?]
2024-10-01T18:13:14.310Z  INFO LdapSyncTask DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] 3: waiting for DirectoryGroupMemberProcessor to finish
2024-10-01T18:13:14.310Z  INFO LdapSyncTask DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] 3: DONE: DirectoryGroupMemberProcessor
2024-10-01T18:13:14.316Z  INFO LdapSyncTask DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] # of unknown entities while processing Group Member: 24
2024-10-01T18:13:14.316Z  INFO LdapSyncTask DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"]   Unknown names:
2024-10-01T18:13:14.316Z  INFO LdapSyncTask DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] === Finish sync Group-Member objects.  Time: 603620.3 sec, # read: 88295, # processed: 88262, # invalid: 31
2024-10-01T18:13:14.336Z  INFO ActivityWorkerPool-1-15 DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] destroy sync processor [Group-Member]: DirectoryGroupMemberSyncProcessor@4c2a51ca
2024-10-01T18:13:14.336Z  INFO ActivityWorkerPool-1-15 DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] 1: destroy group-member processor: DirectoryGroupMemberObjectProcessor@1c3cfc66
2024-10-01T18:13:14.336Z  INFO ActivityWorkerPool-1-15 DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] 2: destroy group-member processor: DirectoryGroupMemberObjectProcessor@2fe4e75c
2024-10-01T18:13:14.336Z  INFO ActivityWorkerPool-1-15 DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] 3: destroy group-member processor: DirectoryGroupMemberObjectProcessor@12f43192
2024-10-01T18:13:14.370Z  INFO ActivityWorkerPool-1-15 LdapSyncContext 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"]   group-member processor: DirectoryGroupMemberSyncProcessor@bd51e95 (enabled)
2024-10-01T18:13:14.371Z  INFO ActivityWorkerPool-1-15 DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] init(): sync processor [group-member]: DirectoryGroupMemberSyncProcessor@bd51e95, # obj processors: 3, baseDn: DC=rte-intra,DC=com,DC=br
2024-10-01T18:13:14.396Z  INFO LdapSyncTask DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] === Start to sync Group-Member objects with 3 DirectoryGroupMemberProcessor (initialSync: false)
2024-10-01T18:20:14.632Z  INFO LdapSyncTask DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] === Start to sync Group-Member objects with 3 DirectoryGroupMemberProcessor (initialSync: false)
2024-10-01T18:20:19.546Z  INFO LdapSyncTask DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Total groups loaded from database for member sync: 2390
2024-10-01T18:20:19.546Z  INFO LdapSyncTask DirectoryGroupMemberSyncProcessor 85779 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] 1: waiting for DirectoryGroupMemberProcessor to finish

DirectoryGroupMemberProcessor stays at "waiting to finish" forever.

 

 

 

Environment

VMware NSX 4.1.x and prior versions

VMware vDefend Firewall

Cause

There is an infinite loop while fetching the members of an AD group.

Resolution

  • There is no workaround.
  • This issue is fixed in NSX 4.2
  • To confirm that this is your issue, please open a support request to get assistance with enabling TRACE level logging for directory synchronization on the NSX manager.