LB LDAP not working after upgrade to 13.0.52.24

[Tonny Andersson1709158460]

After upgrade 13.0.47.24 to 13.0.52.24 I cannot access a LB VIP on port 389 (LDAP) longer.

Cant even telnet VIP on port 389.

 

After reverting ADC VPX VM snapshot to 13.0.47.24 again it works.

 

Bug...?

 

 

[Diego Oliveira]

I recommend opening a case with Citrix. This version is very new.

[Manoj Rana]

Hi,

 

As far as I am aware there is no know issue on port 389 LDAP. After upgrade have you checked your monitors ? are they up?

 

Another thing port 389 is non secure you should not use. You can try LDAPS on port 636.

 

Thanks

Manoj

 

[Tonny Andersson1709158460]

Monitors are up.

Should work without changing the ports right?

 

Support case is opened.

[Manoj Rana]

Hi,

 

Check the Carl article here for ldaps load balancing with 636

 

Thanks

Manoj

 

[Johannes Norz]

Microsoft (and Citrix as a result) discontinued LDAP on port 389. Use SSL instead (636).

 

Greetings from sunny Austria

 

Johannes Norz

CTA, CCI, CCE-N

[Tonny Andersson1709158460]

So ADC cannot load balance tcp/389 anymore (ldap or not)? I doubt that.

[Johannes Norz]

It can. But Microsoft can not authenticate on port 389 any more, beginning March 2020. That's the problem.

You may have a look at my blog to see why :)

 

Cheers

 

Johannes

[Tonny Andersson1709158460]

Thats not the problem here. As described it works on 13.0.47.24 but not on 13.0.52.24.

[Johannes Norz]

16 minutes ago, Tonny Andersson1709158460 said:

Thats not the problem here. As described it works on 13.0.47.24 but not on 13.0.52.24.

 

OK. So I can't help. Anyway, you will have to change to SSL. No matter if this is the "problem here" or not.

[Omar Hempsall1709158465]

You’re not alone.

 

Errors that the vserver is reachable, but 389/636 are not?

 

Directly setting the DC works, from the same SNIP, this is internal stack on the ADC.

 

In the vserver give it a vacant but valid new IP and change the auth server and it may work.

 

Delete the VS completely and remove the IP, then recreate. This worked for me, but LDAPS fails intermittently.

 

I had substituted a new vServer with a new IP and 10 days later had a full fail.

 

Ticket open with Citrix, will let you know what I find. 

[Tonny Andersson1709158460]

1 hour ago, Omar Hempsall1709158465 said:

You’re not alone.

 

Errors that the vserver is reachable, but 389/636 are not?

 

Directly setting the DC works, from the same SNIP, this is internal stack on the ADC.

 

In the vserver give it a vacant but valid new IP and change the auth server and it may work.

 

Delete the VS completely and remove the IP, then recreate. This worked for me, but LDAPS fails intermittently.

 

I had substituted a new vServer with a new IP and 10 days later had a full fail.

 

Ticket open with Citrix, will let you know what I find. 

I also have a ticket open with Citrix, that's been escalated.

[Johannes Norz]

There might be an other problem about using LDAPs: The built in StoreFront monitor won't work any more. I have written a blog on how to fix this issue.

 

reetings

 

Johannes Norz

CTA, CCI, CCE-N

[Marion Bauer1709159214]

Have you tried a nstrace? What's in it?

Does netscaler send an RST Package to the Request? Is there an error code in the WIN Frame?

I had a similar issue a few days ago with the latest version of Citrix ADC 13.0. LDAPS has stopped working (only the lb vserver, the members were reachable and also showing as UP in the service group and using the DCs directly did also work). 

If I delete the vserver and create it again it works and after about 3-4 days the error is the same. 

I would be curious what's in your trace and if this is similar.

 

Thanks,

Best Regards,

Mary

[Omar Hempsall1709158465]

On 5/3/2020 at 7:44 PM, Marion Bauer1709159214 said:

Does netscaler send an RST Package to the Request? Is there an error code in the WIN Frame?

I had a similar issue a few days ago with the latest version of Citrix ADC 13.0. LDAPS has stopped working (only the lb vserver, the members were reachable and also showing as UP in the service group and using the DCs directly did also work). 

If I delete the vserver and create it again it works and after about 3-4 days the error is the same. 

Sounds exactly the same, Mary... - Citrix Support took the traces away yesterday, said I'd be hearing back today.

 

Considering downgrading to 47.24 if Citrix can't turn this around quickly. - We were seeing unexpected failovers with earlier version though, but at least not full auth outages!

[Marion Bauer1709159214]

In my case citrix told me that the error is there cause I have the same VLAN on two interfaces bound. Strange thing is that I can solve this issue by using another port for the vserver other than 636. Since I only need it for the authentication on netscaler (auth vserver and a citrix gateway) I simply took another port and so far it seems to be working but I am not done with testing yet.

 

I know that having a VLAN bound to two interface is not okay and I would never ever recommend to do so, but I don't see why this should be the cause here. It has worked before on what would be diffrent on another port!?

I consider downgrading to 12.1 ... 

I am curious what the result of your case will be!

 

Thanks!

 

 

[Jochen Wagner]

I have the same problem and also have a case open. I upgraded one node to 13.0.52.24, when this one is primary ldap isn´t working. When i make the old one primary it is working again, so this is my workaround for now. When I change ldap to ssl/636 it also works, but then password change isn´t working, so this is no solution.

I´m talking about about the ldap vserver here, the connection to the domain controllers are over ssl/636, only the connection from ADC to the ldap lb vserver (internal) has to be unencrypted on port 389.

 

Greetings

[Omar Hempsall1709158465]

Citrix Support;

 

Case Update 
---------------------------------------------------------------- 

>> Possibly related to an internal bug, fix for the internal bug should be included in 13.0-58.x; awaiting confirmation from engineering

[Omar Hempsall1709158465]

Fixed in 58.30.