ProxySG & Advanced Secure Gateway

 View Only

  • 1.  Configured Policy institution and Created LDAP authentication

    Posted Jul 08, 2020 03:49 AM
    Edited by Ahmed Mahmud Jul 08, 2020 03:50 AM
    Hi All,
    i am facing an issue once i Configured Policy substitution  and Created LDAP authentication, the goal of this configuration is any user who is connected through Wireless to authenticate once in clear pass and pull the same authentication in proxy while he is accessing the internet with IP redirect authentication, every thing is working fine but i am getting a warning error every now and then and the health check with yellow color.and i am getting the below error.


    Enabled  	Check failed  	DOWN
    Last status: Could not connect to LDAP server.
    Successes (total): 2410211  	(last): Wed, 08 Jul 2020 07:47:25 GMT  	(consecutive): 0
    Failures  (total): 234350  	(last): Wed, 08 Jul 2020 07:47:35 GMT  	(consecutive): 1  	(external): 0
    Last response time: 3544 ms  	Average response time: 3544 ms
    Minimum response time: 3544 ms  	Maximum response time: 3544 ms


  • 2.  RE: Configured Policy institution and Created LDAP authentication

    Posted Jul 08, 2020 04:14 AM
    Hello Ahmed Mahmud.

    I think, your LDAP server or your network will have problem.
    Pls. PCAP with port 389 at the proxy and perform health check on GUI.

    After that, analyse the PCAP for finding the problem.

    Thank you
    Sakkarin Pichetskul 


    ------------------------------
    System Engineer
    nForce Secure Co.,Ltd. [Thailand]
    ------------------------------

    Original Message


  • 3.  RE: Configured Policy institution and Created LDAP authentication

    Posted Jul 08, 2020 04:47 AM
    Hi Sakkarin,
    thanks for your suggestion this step was done already but i don't see any drop on the traffic and made sure from AD side also no error generated on the event viewer.
    Original Message


  • 4.  RE: Configured Policy institution and Created LDAP authentication

    Posted Jul 14, 2020 02:13 AM
    Hello Ahmed Mahmud,

    Pls. answer questions below.
    1. At the LDAP realm, you can test authenticate success or not?
    2. If not, I think some config on the LDAP realm will wrong.
    3. If yes, Pls. PCAP the step -> at the custom health checks (Configuration -> Health checks -> General -> Health Checks Tab), click at the issue realm and click "Perform health check" 

    BR
    Sakkarin Pichetskul

    ------------------------------
    System Engineer
    nForce Secure Co.,Ltd. [Thailand]
    ------------------------------

    Original Message


  • 5.  RE: Configured Policy institution and Created LDAP authentication
    Best Answer

    Broadcom Employee
    Posted Jul 14, 2020 12:21 PM
    Hello Ahmed, 

    The proxy is marking the LDAP Realm as 'DOWN" due to the latency on the wire between the Proxy and the LDAP server being 3.5 Seconds, that is a lot.
    The way proxy performs a health check is proxy uses the active users authentication transactions as uer query is being sent by the proxy to the LDAP server , and proxy then counts how many milliseconds it took before the LDAP server had replied back to the proxy user's query.
    In your case it would seem that the amount of time that proxy waited for the LDAP Server response is 3.5 seconds.
    You can see those numbers from the health check data :

    Last response time: 3544 ms Average response time: 3544 ms
    Minimum response time: 3544 ms Maximum response time: 3544 ms

    Please consult with your local Network Administration to see if there is any latency on the wire or with the Active Directory Administration to figure out why does it take 3.5 seconds for the LDAP to reply.

    This is not an issue caused by the Proxy , proxy is simply pointing out that there is a latency on the wire or caused by the LDAP server.


    I hope this helps.

    Original Message


  • 6.  RE: Configured Policy institution and Created LDAP authentication

    Posted Jul 20, 2020 03:31 PM
    Hi Salva,

    you are super you pinpointed to the exact issue indeed the issue was on the LDAP server response and i increased the time from 60 Seconds to 120 Seconds and the Health check warning disappeared.

    Thanks.
    Original Message