Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 5 subscribers
  • Views 6842 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LDAPS - working but throws errors

StephanG

Hi everyone,

i implemented LDAPS for Sophos UTM some time ago and everything is working fine i thought.

But due to the Microsoft LDAP Signing Requirements i had a deeper look into logging LDAP.

I get this error all the time:
Internal event: An LDAP client connection was closed because of an error.

Client IP:
FW IP Adress:41660

Additional Data
Error value:
3 The system cannot find the path specified.
Internal ID:
c0605e5

And the login try is counted 2 times!

Anyone else experiencing this?

I have set the logging here: 

From <https://support.microsoft.com/en-us/help/314980/how-to-configure-active-directory-and-lds-diagnostic-event-logging> 

Best regards

Stephan



This thread was automatically locked due to age.
  • 0

    Hi  

    Do you notice any errors on the aua.log (Authentication) in Sophos UTM? You should check the logs there as well, it might hint at something. Refer to this KBA Sophos UTM: Log names and service locations.

    Regards

    Jaydeep

  • 0

    Hallo Stephan,

    You might want to check out Douglas Foster's Sophos UTM: Using LDAP with Active Directory.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks for your responses. Now i had some time to have another look at it.

    I have this entry a couple of times - matching with some of the warnings in AD

    2020:03:02-13:43:20 fw3str-1 aua[6291]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 33"
2020:03:02-13:43:20 fw3str-1 aua[6291]: id="3006" severity="info" sys="System" sub="auth" name="Child 14535 is running too long. Terminating child"


    And the multiple wrong attempts may be explained with this - it does not stop at the first server that delivers "wrong password" but goes through the other. Should i work with availbility groups here? (single forest)

    2020:03:02-13:02:35 fw3str-1 aua[17698]: id="3006" severity="info" sys="System" sub="auth" name="Trying some ip (adirectory)"
    2020:03:02-13:02:35 fw3str-1 aua[17698]: id="3006" severity="info" sys="System" sub="auth" name="Trying another ip (adirectory)"
    2020:03:02-13:02:35 fw3str-1 aua[17698]: id="3006" severity="info" sys="System" sub="auth" name="Trying some ip  (radius)"
    2020:03:02-13:02:35 fw3str-1 aua[17698]: id="3006" severity="info" sys="System" sub="auth" name="Server some ip (ldap) is disabled"
    2020:03:02-13:02:35 fw3str-1 aua[17698]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="external ip" host="" user="username" caller="openvpn" reason="DENIED"
    2020:03:02-13:02:45 fw3str-1 aua[6291]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 33"

    Best regards

    Stephan

  • +1 in reply to StephanG

    If both AD servers are in the same Ethernet segment, then an Availability Group would cause only a single message.

    But, I'm confused - "Server some ip (ldap) is disabled" - is there a separate LDAP server?  Is the user in AD?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hey Bob,

    i now created an availability group. Seems to work :)

    The ldap server was an old entry that was not deleted but disabled.

    I'm not sure why i have a radius server listed here - is it needed for WPA2 Enterprise? Or did i try something out and forgot to delete it ;) 

    Thanks for your help.

    Best regards

    Stephan

  • 0 in reply to StephanG

    Yes, Stephan, for WPA2 Enterprise.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML