Hello,
We have been synchronizing accounts with an on-premises LDAP server.
The synchronization worked normally until July 2nd, but it stopped working from July 3rd.
We want to identify the cause, but it is difficult to investigate because the source IP shown in the web UI is different.
Does anyone have any ideas on how to perform something like a traceroute from the source IP used for LDAP synchronization?
Thank you for your assistance.
Cato EmployeeHey HD,
Thank you for your question in the community portal!
Sorry to hear that you're experiencing some LDAP issues!
Ok, so regarding this issue, and of course, your expertise in LDAP and Wireshark.
What you can do is run the 'Test Connection' feature in the CMA, found here:
What this should do is create an LDAP bind request to your respective LDAP server, which, if you run a PCAP on the socket where the server resides, this can be done following the KB here:
https://support.catonetworks.com/hc/en-us/articles/4413265670673-How-to-Capture-Traffic-on-a-Socket
Important note: You want to ensure you're capturing on the tunnel interface as the traffic is, of course, going to be encrypted!
The IPs you want to review in the Wireshark capture are here:
https://support.catonetworks.com/hc/en-us/articles/20511945810589-CMA-IP-Allowlist
Now, the below I use for my own knowledge (not affiliated to Cato and please use at your own discretion) is this excellent external article which explains the LDAP process and what to look for :
https://www.golinuxcloud.com/analyze-ldap-traffic-with-wireshark/
I hope this helps!
Hello,
Thank you for your response.
I attempted to connect via Test-Connect from that screen, but the connection failed.
The issue is that it's difficult to determine where the communication is being obstructed using Wireshark.
Embarrassingly, our company has weak network maintenance along the route.
I would like to at least confirm where along the route the problem lies,
so it would have been helpful if this test connection had a feature similar to traceroute.
Internet - Firewall - CATO Socket - Network devices ... Network devices - LDAP Server
Cato EmployeeHey HD,
We do have a traceroute and ping functionality within the socket that you can run from the UI of the socket -https://support.catonetworks.com/hc/en-us/articles/4413273496209-Managing-Sockets#heading-8 which you can send WAN or LAN.
Unfortunately, nothing similar when using the LDAP test functionality.
What I could suggest is maybe running a tracroute or pathping from your LDAP server to the socket LAN interface (to first confirm it can indeed reach the socket), then you could run the same but this time from LDAP server to the IPs which I shared with you.
At the same time, running a PCAP on the socket and possibly your switches in your LAN.
