ZTNA tenant setup to test a number of Web/RDP/SSH applications where users successfully authenticate with LDAP or SAML.

Two LDAP identity providers configured using LDAP on TCP 389 (and not secure LDAP on TCP 636); but each LDAP identity goes to the same Active Directory (AD) IP address/port which is unusual.

One morning, ZTNA admin receives a notification email from Symantec ZTNA stating that

   "We were unable to connect to the identity provider 'ExampleLDAPIdentityProviderName' in tenant 'example_tenant'."

The ZTNA Portal confirmed that the LDAP providers are offline.

LDAP browser to the same AD IP address/port with LDAP proxy user shows a successful response.

ZTNA apparently admin made no changes to the AD or SAC configurations over previous few days.

ZTNA.

LDAP Identity Provider configured.

Potential corruption from the connector side of things.

Make a change to the LDAP Identity Provider configuration to force an update.

When the offline messages appeared, a TCPDUMP from the connector AD was run for about 15-20 mins to capture probes. From this, we found a health check every 5 minutes which appeared to fail due to invalid credentials. These same credentials were used to connect successfully from an LDAP browser, and the credentials looked good from the PCAPs (password visible as TCP 389 used).

Forcing a configuration update by changing the password to a new one and back to original one seemed to fix the issue.