ldap test randomly fails through SSL_TCP Load Balancing Vserver on NetScaler

ldap test randomly fails through SSL_TCP Load Balancing Vserver on NetScaler

book

Article ID: CTX338405

calendar_today

Updated On:

Description

The customer configured ldap authentication through NetScaler SSL_TCP LB Vserver for backend ldap server. Customer found ldap test fails randomly.

Resolution

  1. Configure LDAP Load Balance Virtual Server with TCP protocol type instead of SSL_TCP.
    • Refer to the configuration guide to learn how to create a TCP type Virtual Server in NetScaler.

Problem Cause

  • According to the trace taken on ADC, after received the Encrypted Handshake Message (Finished Message) from client, ADC sent SSL Alert 47 and reset the tcp connection with window size 9811.
  • Compare traces for the working scenario and non-working scenario, NetScaler reset connection when Encrypted Handshake Message packet length is greater than 96 bytes.
  • If the client is having finish message more than 96 bytes, NetScaler will reset the ssl connection, and there is already ENH for this(NSHELP-14711)
1. Non-working scenario:
ssl_alert_47.jpg

2. Working-scenario:
image.png

In the non-working scenario, the counter "ssl_err_ssl3_get_msg_ivld_msg_size" will increase in NetScaler "/var/nslog/newnslog*"
image.png
Powered by Wolken Software