"An undetermined error occurred" for NSX LDAP connection status in a 'Failed' state
Article ID: 416122
Updated On:
Products
VMware NSX
Issue/Introduction
- NSX Version is 4.2.x.
- LDAP 'Connection Status' (LDAP probe) is in failed state with an "undetermined error" reported in the NSX UI:
- Adding or changing LDAP servers fails with an "Unknown Error".
- LDAP services are working as expected.
- API call to check the LDAP probe returns a "GENERAL_ERROR":
POST /api/v1/aaa/ldap-identity-sources/<LDAP Identity Source ID>?action=probe
Environment
VMware NSX 4.2 and above.
Cause
This behavior occurs if the LDAP server does not support the TLS cipher suites available in NSX 4.2 and above.
NB: Less secure TLS cipher suites were removed in NSX 4.1 and above.
Resolution
This is a condition that may occur in a VMware NSX environment.
- Our recommendation is to upgrade the impacted LDAP server's TLS version to 1.3 with a cipher suite that is supported by NSX 4.2.x.
- If you are unable to upgrade your LDAP server TLS version, please open a case with Broadcom support via the Broadcom portal: Creating and Managing Broadcom Support Cases
Additional Information
Cipher suites used by NSX 4.1 and above:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Cipher suites used by NSX 4.2 and above:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
Cipher suites used by previous versions of VMware NSX:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
Related KBs
Feedback
Yes
No
Powered by
