Jump to content
Welcome to our new Citrix community!

LDAP Auth Server Setup using NSIP instead of SNIP


Recommended Posts

Hi,

 

I am trying to setup an LDAP Auth server on a partition but it says the server is not reachable.  I did a Wireshark trace and it shows the source IP as the NSIP instead of the SNIP.  My NSIP cannot communicate on the VLAN where the ldap service resides.

 

I have the domain controllers load balanced and created an LDAP monitor which I assigned to the corresponding service group.

 

Shouldn't the SNIP be used by default if it detects load balanced domain controllers?

 

 

Link to comment
Share on other sites

Change the monitor from LDAP to ping to see if this is just a monitor issue.

 

LDAP, StoreFront, user (custom) and some of the advanced monitors are called "scriptable" monitors and by default invoke from shell and source from the NSIP without making other changes.


Most of the basic monitors ping/tcp/http and others are nno-scriptable and source from SNIP by default.

 

So your LDAP monitor uses the NSIP by default and fails because its not routable, so your services appear down. If you switch the monitor to ping or tcp for the port test, and the services go UP, then the issue is just the monitor source ip causing the probes to fail. 

Link to comment
Share on other sites

OK, so my load balancing vserver for the domain controllers has shown UP the entire time, even with a LDAP monitor bound to the service group.  When I go to the Authentication tab and try to establish an LDAP authentication policy, I try to test connection after putting in the required information.  The test always fails, and the traffic origination is stemming from the NSIP, even though I have load balanced domain controllers through the SNIP.

 

Also, I even tried removing the LDAP monitor and replacing it with PING to no avail.

Link to comment
Share on other sites

Which version of firmware are you using as some versions the "test" app fails but live traffic works.

Have you tested an actual authentication request OR only the "test" app (which also would use the nsip because it not originating from a client).


If you both the test app and the real live request fails, then we still need to look at what is happening.

Link to comment
Share on other sites

I'm using 13.1 12.51.nc

 

When I create the policy, it shows the status in RED.  

 

I have another cloud where my NSIP can communicate with the SNIP network as a test.  Test connectivity works and the policy shows GREEN.

 

Edit: OK, ran a nstcpdump and seeing that the SNIP is being used.  It must be some weird networking issue on my end.  If I figure it out I'll post it here.

Edited by Britton Pennington
new information to share
Link to comment
Share on other sites

16 hours ago, Britton Pennington1709163200 said:

OK, so my load balancing vserver for the domain controllers has shown UP the entire time, even with a LDAP monitor bound to the service group.  When I go to the Authentication tab and try to establish an LDAP authentication policy, I try to test connection after putting in the required information.  The test always fails, and the traffic origination is stemming from the NSIP, even though I have load balanced domain controllers through the SNIP.

 

Also, I even tried removing the LDAP monitor and replacing it with PING to no avail.

 

You are able to use a separate IP for Authentication, called aaadnatIp via the command "set aaa parameter -aaadnatIp <ip-address>"

See this blog for some insights about the authentication taffic https://norz.at/?p=934 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...