VMware NSX 4.2.2.1

The thumbprint of the LDAP certificate in the Identity Firewall LDAP Server configuration was not updated after the new certificate was applied on the external LDAP servers.

Although NSX LDAP integration settings may show successful binding, the Identity Firewall component uses its own saved certificate thumbprint to validate the server, which may still be referencing the expired certificate.

Workaround:

Follow the steps below to resolve the issue:

1. Verify Certificate Replacement Timeline

• Confirm when the LDAP server certificates were replaced.

• Cross-check alarm timestamps to verify correlation.

2. Check LDAP Configuration in NSX

• Navigate to System > Identity Firewall > LDAP Servers.

• Select the affected LDAP server.

• Verify the Certificate Thumbprint reflects the new LDAP certificate.

3. Import new certificate chain for LDAP servers

• Navigate to System > User Management > LDAP
  
  
• Select the LDAP servers and click Edit.
  
  
• Replace the intermediate and Kerberos Certificate chain with the newly created CA certificate, (Intermediate, and Kerberos Certificate chain).
• Click Save

4. Update LDAP Thumbprints

• If the thumbprint is outdated under System > Identity Firewall > LDAP Servers:

  • Remove the old thumbprint entry.

  • Add the new thumbprint manually

  • Save the configuration.

5. Restart Proton Service (if needed)

• SSH into the NSX Manager node showing the alarms.

• Run the following command as root:

  /etc/init.d/proton restart

• Wait 10–15 minutes and monitor if alarms return.

• Navigate to System > Identity Firewall > LDAP Servers

• Ensure synchronization status reflects "SUCCESS".

• Confirm no further "Delta Sync" or "Connectivity Lost" alarms appear.

These alarms can persist until the thumbprint mismatch is resolved, even if the LDAP server accepts the connection via its new certificate and has a SUCCESS status under System > User Management > LDAP.

This can typically impact Identity Firewall policies dependent on LDAP user/group resolution.