The most common cause for this problem is that a connection is being dropped by your firewall or other network equipment due to their TCP idle timeout settings.
The ESA will maintain a number of active TCP sessions to your LDAP servers. These will be used for 6 hours or 10,000 queries, whichever comes first.
What can happen is that the a TCP session can remain idle for some time while mail flow is slow. When the ESA attempts to re-use that connection, your firewall may see that this TCP session has not been used for a long time and so it will drop the packet.
To correct this, you would need to disable the TCP idle timeout settings on your firewall for the ESA's IP address.
While this issue does produce the occasional alert message, it should not have any significant impact on mail flow. If an LDAP query times out the appliance may soft bounce an email, but the sending server should retry any soft bounces. This means that this may delay emails but it should not cause them to be dropped or hard bounced.
To make sure that the issue is not something more serious, I recommend going to System Administration -> LDAP, clicking on your LDAP server profile and running a test query for your "Accept" query. If you see the expected results here, the issue is almost certainly the transient TCP idle timeout problem described above.
Hope this helps!
(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :