cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1270
Views
0
Helpful
6
Replies

Cisco 2911 - LDAP Locks up after an login using incorrect password over VPN

rmnr
Level 1
Level 1

Hi,

Cisco 2911 - LDAP Locks up after an login using incorrect password over VPN, we have to clear LDAP server using the below command for any user to connect again.

clear ldap server DC01 (DC01 is the ldap server configured)

Below is the debug when any user tries to login using correct password while LDAP is locked out.

ā€œReceive event: read=1, errno=11 (Resource Temporarily Unavailable)"

"LDAP Search Operation result : failed"

We are using Cisco VPN client to connect. Could anyone help us to fix this or find a work around?

Thanks,

Rijath Mohamed

1 Accepted Solution

Accepted Solutions

Then this is clearly an IOS issue.

I would try a gold star release such as 15.5.3M5 or 15.4.3M7.

15.6 is bleeding edge new.

View solution in original post

6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

What version of software are you running on your 2911?

Philip D'Ath
VIP Alumni
VIP Alumni

It looks to me like the LDAP server is returning a "resource temporarily unavailable" error, and the 2911 will be knocking out the LDAP server from further consideration for a period of time - because the server is saying it is sick.

I would check the log on the LDAP server to see if it says anything interesting.

Thank you for replying, Philip

LDAP server does not log any error when authentication is failing, more over this starts happening after updating IOS from 15.2.4 M6 to 15.6.3 M1 - issue exists in the version 152-4.M6 as well.

Then this is clearly an IOS issue.

I would try a gold star release such as 15.5.3M5 or 15.4.3M7.

15.6 is bleeding edge new.

I do not think that will work either, Phillip. We are going to test it will AnyConnect! :) thank you for helping me out.

Hi Philip,

Found a workaround for this issue:

  • LDAP requests are successfully authenticated until any one of the user connects with an incorrect password
  • From that moment, 'User is rejected'  message will be send by router even when a user tries with correct password
  • Packet captures in server was throwing the error that a 'Successful bind is required to perform this action'
  • So I added the 'bind-first' to the LDAP server config
  • Now binding is successful, but router searching in the base-dn string, not searching inside the OU
  • Updated base-dn value to complete string to the OU where user is  located

So now LDAP on router is not getting locked if a user tries incorrect password, they are able to connect with correct password without clearing active LDAP server session

I too believe that this is an issue with the IOS code, but we are happy as long as the above solution work for us. :)

Thank you, 

Rijath Mohammed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: