secd.ldap.noServers with Anycast LDAP servers because switch splits TCP handshake

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 64

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

Applies to

ONTAP 9
LDAP
Anycast

Issue

ONTAP LDAP client is configured to send LDAP requests to the Anycast IP address(es) of the LDAP server(s)
- ```
::> ldap client show -client-config ldap_client_config -fields ldap-servers -vserver svm1
vserver client-config       ldap-servers
------- -------------       -------------
svm1    ldap_client_config  <Anycast_IP>, <Anycast_DNS_hostname>
```
- A single Anycast IP is shared by multiple LDAP servers
- When ONTAP sends traffic to an Anycast IP, the switch that receives the traffic decides which LDAP server the traffic will be forwarded to
EMS intermittently logs secd.ldap.noServers
- [?] Fri Jul 18 09:33:59 +0000 [node-01: secd: secd.ldap.noServers:EMERGENCY]: None of the LDAP servers configured for Vserver (svm1) are currently accessible via the network for LDAP service type (Service: LDAP (NIS & Name Mapping), Operation: NetgroupMembersFromName).
- [?] Fri Jul 18 09:04:35 +0000 [node-03: secd: secd.ldap.noServers:EMERGENCY]: None of the LDAP servers configured for Vserver (svm1) are currently accessible via the network for LDAP service type (Service: LDAP (NIS & Name Mapping), Operation: Check LDAP Config).

SECD logs

  [  6010] TCP connection to ip <Anycast_IP>, port 389 failed: Operation timed out.
  [  6012] Unable to connect to LDAP (NIS & Name Mapping) service on <Anycast_DNS_hostname> (Error: Can't contact LDAP server)
  [  6013] No servers available for LDAP_NIS_AND_NAME_MAPPING, vserver: 8, domain: .
**[  6013] FAILURE: Unable to make a connection (LDAP (NIS & Name Mapping):), Result: RESULT_ERROR_SECD_NO_SERVER_AVAILABLE

[004.009.379]  debug:  Getting LIF service for dst port 389  { in getLifService() at src/connection_manager/secd_connection_shim.cpp:236 }
[004.009.382]  debug:  Connection type LDAP (NIS & Name Mapping) translated to LIF service = 28  { in getLifService() at src/connection_manager/secd_connection_shim.cpp:271 }
[004.009.393]  debug:  CM_STATS:  Tracking connect() to server <Anycast_IP>, port 389  { in startConnectTracking() at src/cm/secd_cm_stats_manager.cpp:885 }
[006.010.276]  debug:  Connection timed out after 2 second(s)  { in _connect() at src/connection_manager/secd_connection_shim.cpp:487 }
[006.010.307]  info :  TCP connection to ip <Anycast_IP>, port 389 failed: Operation timed out. { in _connect() at src/connection_manager/secd_connection_shim.cpp:582 }
[006.011.793]  debug:  Vserver's operational state: running  { in isVserverRunning() at src/configuration_manager/secd_configuration_manager.cpp:2814 }
[006.011.813]  debug:  Logged secd.conn.auth.failure to EMS  { in logEmsEventForServerConnAuthError() at src/utils/secd_ems_utils.cpp:431 }
[006.011.848]  debug:  ldap_sasl_bind_s returned -1  { in ldapSaslBindSpnego() at src/connection_manager/secd_connection.cpp:854 }
[006.011.897]  ERR  :  RESULT_ERROR_LDAPSERVER_SERVER_DOWN:7642 in ldapSaslBindSpnego() at src/connection_manager/secd_connection.cpp:864
[006.011.903]  ERR  :  ldapSaslBindSpnego: LDAP Error: (-1): 'Can't contact LDAP server': 
[006.011.914]  ERR  :  RESULT_ERROR_LDAPSERVER_SERVER_DOWN:7642 in ldapSaslBind() at src/connection_manager/secd_connection.cpp:1098
[006.011.918]  ERR  :  RESULT_ERROR_LDAPSERVER_SERVER_DOWN:7642 in ldapConnectNIS() at src/connection_manager/secd_connection.cpp:1370
[006.011.921]  ERR  :  RESULT_ERROR_LDAPSERVER_SERVER_DOWN:7642 in connect() at src/connection_manager/secd_connection.cpp:2642
[006.011.930]  ERR  :  Vserver 8 could not connect or authenticate to ldap server (ldap_hostname) at address <Anycast_IP> with error Can't contact LDAP server.  { in connect() at src/connection_manager/secd_connection.cpp:2673 }