Tonny Andersson1709158460 Posted April 27, 2020 Share Posted April 27, 2020 After upgrade 13.0.47.24 to 13.0.52.24 I cannot access a LB VIP on port 389 (LDAP) longer. Cant even telnet VIP on port 389. After reverting ADC VPX VM snapshot to 13.0.47.24 again it works. Bug...? Link to comment Share on other sites More sharing options...
Diego Oliveira Posted April 27, 2020 Share Posted April 27, 2020 I recommend opening a case with Citrix. This version is very new. Link to comment Share on other sites More sharing options...
Manoj Rana Posted April 27, 2020 Share Posted April 27, 2020 Hi, As far as I am aware there is no know issue on port 389 LDAP. After upgrade have you checked your monitors ? are they up? Another thing port 389 is non secure you should not use. You can try LDAPS on port 636. Thanks Manoj Link to comment Share on other sites More sharing options...
Tonny Andersson1709158460 Posted April 27, 2020 Author Share Posted April 27, 2020 Monitors are up. Should work without changing the ports right? Support case is opened. Link to comment Share on other sites More sharing options...
Manoj Rana Posted April 27, 2020 Share Posted April 27, 2020 Hi, Check the Carl article here for ldaps load balancing with 636 Thanks Manoj Link to comment Share on other sites More sharing options...
Johannes Norz Posted April 27, 2020 Share Posted April 27, 2020 Microsoft (and Citrix as a result) discontinued LDAP on port 389. Use SSL instead (636). Greetings from sunny Austria Johannes Norz CTA, CCI, CCE-N Link to comment Share on other sites More sharing options...
Tonny Andersson1709158460 Posted April 27, 2020 Author Share Posted April 27, 2020 So ADC cannot load balance tcp/389 anymore (ldap or not)? I doubt that. Link to comment Share on other sites More sharing options...
Johannes Norz Posted April 27, 2020 Share Posted April 27, 2020 It can. But Microsoft can not authenticate on port 389 any more, beginning March 2020. That's the problem. You may have a look at my blog to see why :) Cheers Johannes Link to comment Share on other sites More sharing options...
Tonny Andersson1709158460 Posted April 27, 2020 Author Share Posted April 27, 2020 Thats not the problem here. As described it works on 13.0.47.24 but not on 13.0.52.24. Link to comment Share on other sites More sharing options...
Johannes Norz Posted April 27, 2020 Share Posted April 27, 2020 16 minutes ago, Tonny Andersson1709158460 said: Thats not the problem here. As described it works on 13.0.47.24 but not on 13.0.52.24. OK. So I can't help. Anyway, you will have to change to SSL. No matter if this is the "problem here" or not. Link to comment Share on other sites More sharing options...
Omar Hempsall1709158465 Posted May 1, 2020 Share Posted May 1, 2020 You’re not alone. Errors that the vserver is reachable, but 389/636 are not? Directly setting the DC works, from the same SNIP, this is internal stack on the ADC. In the vserver give it a vacant but valid new IP and change the auth server and it may work. Delete the VS completely and remove the IP, then recreate. This worked for me, but LDAPS fails intermittently. I had substituted a new vServer with a new IP and 10 days later had a full fail. Ticket open with Citrix, will let you know what I find. Link to comment Share on other sites More sharing options...
Tonny Andersson1709158460 Posted May 1, 2020 Author Share Posted May 1, 2020 1 hour ago, Omar Hempsall1709158465 said: You’re not alone. Errors that the vserver is reachable, but 389/636 are not? Directly setting the DC works, from the same SNIP, this is internal stack on the ADC. In the vserver give it a vacant but valid new IP and change the auth server and it may work. Delete the VS completely and remove the IP, then recreate. This worked for me, but LDAPS fails intermittently. I had substituted a new vServer with a new IP and 10 days later had a full fail. Ticket open with Citrix, will let you know what I find. I also have a ticket open with Citrix, that's been escalated. Link to comment Share on other sites More sharing options...
Johannes Norz Posted May 3, 2020 Share Posted May 3, 2020 There might be an other problem about using LDAPs: The built in StoreFront monitor won't work any more. I have written a blog on how to fix this issue. reetings Johannes Norz CTA, CCI, CCE-N Link to comment Share on other sites More sharing options...
Marion Bauer1709159214 Posted May 3, 2020 Share Posted May 3, 2020 Have you tried a nstrace? What's in it? Does netscaler send an RST Package to the Request? Is there an error code in the WIN Frame? I had a similar issue a few days ago with the latest version of Citrix ADC 13.0. LDAPS has stopped working (only the lb vserver, the members were reachable and also showing as UP in the service group and using the DCs directly did also work). If I delete the vserver and create it again it works and after about 3-4 days the error is the same. I would be curious what's in your trace and if this is similar. Thanks, Best Regards, Mary Link to comment Share on other sites More sharing options...
Omar Hempsall1709158465 Posted May 5, 2020 Share Posted May 5, 2020 On 5/3/2020 at 7:44 PM, Marion Bauer1709159214 said: Does netscaler send an RST Package to the Request? Is there an error code in the WIN Frame? I had a similar issue a few days ago with the latest version of Citrix ADC 13.0. LDAPS has stopped working (only the lb vserver, the members were reachable and also showing as UP in the service group and using the DCs directly did also work). If I delete the vserver and create it again it works and after about 3-4 days the error is the same. Sounds exactly the same, Mary... - Citrix Support took the traces away yesterday, said I'd be hearing back today. Considering downgrading to 47.24 if Citrix can't turn this around quickly. - We were seeing unexpected failovers with earlier version though, but at least not full auth outages! Link to comment Share on other sites More sharing options...
Marion Bauer1709159214 Posted May 6, 2020 Share Posted May 6, 2020 In my case citrix told me that the error is there cause I have the same VLAN on two interfaces bound. Strange thing is that I can solve this issue by using another port for the vserver other than 636. Since I only need it for the authentication on netscaler (auth vserver and a citrix gateway) I simply took another port and so far it seems to be working but I am not done with testing yet. I know that having a VLAN bound to two interface is not okay and I would never ever recommend to do so, but I don't see why this should be the cause here. It has worked before on what would be diffrent on another port!? I consider downgrading to 12.1 ... I am curious what the result of your case will be! Thanks! Link to comment Share on other sites More sharing options...
Jochen Wagner Posted May 7, 2020 Share Posted May 7, 2020 I have the same problem and also have a case open. I upgraded one node to 13.0.52.24, when this one is primary ldap isn´t working. When i make the old one primary it is working again, so this is my workaround for now. When I change ldap to ssl/636 it also works, but then password change isn´t working, so this is no solution. I´m talking about about the ldap vserver here, the connection to the domain controllers are over ssl/636, only the connection from ADC to the ldap lb vserver (internal) has to be unencrypted on port 389. Greetings Link to comment Share on other sites More sharing options...
Omar Hempsall1709158465 Posted May 27, 2020 Share Posted May 27, 2020 Citrix Support; Case Update ---------------------------------------------------------------- >> Possibly related to an internal bug, fix for the internal bug should be included in 13.0-58.x; awaiting confirmation from engineering Link to comment Share on other sites More sharing options...
Omar Hempsall1709158465 Posted June 14, 2020 Share Posted June 14, 2020 Fixed in 58.30. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now