none
LDAP GC requests being denied and then being sent over incorrect interface RRS feed

  • Question

  • I have just installed a copy UAG (source from MSDN includes Sp1, UAG 4.0.1752.1000 / TMG 7.0.9027.400) on a newly installed Physical Server running Windows 2008 R2 (fully patched from WindowsUpdate). I have only created a HTTPS Trunk and Published a SharePoint 2010 Application using the local AD forest for authentication.

     

    The published application in the Portal randomly does not show up for users at the same time that LDAP GC queries are being dropped/denied by TMG.

     

    Denied Connection

    Log type: Firewall service

    Status: A packet generated on the local host was rejected because its source IP address is assigned to one network adapter and its destination IP address is reachable through another network adapter. 

    Rule: None - see Result Code

    Source: Local Host (10.200.1.5:45245)

    Destination: Internal (10.200.1.12:3268)

    Protocol: LDAP GC (Global Catalog)

     

    TMG then drops/denies UAG attempts to send the LDAP GC queries over the Internet NIC!

    Denied Connection

    Log type: Firewall service

    Status: A packet was dropped because its destination IP address is unreachable. 

    Rule: None - see Result Code

    Source: Local Host (77.89.128.108:45274)

    Destination: Internal (10.200.1.12:3268)

    Protocol: LDAP GC (Global Catalog)

     

    The UAG Server has 2 NIC Interfaces, one connected to the Internal Network (10.200.0.0/255.255.0.0) and the other connected to the Internet.

     

    The routing table is shown below:

    ===========================================================================

    Interface List

     19...00 ff 08 01 19 47 ......SSL Network Tunneling

     11...d8 d3 85 e3 72 56 ......HP NC362i Integrated DP Gigabit Server Adapter

     12...d8 d3 85 e3 72 57 ......HP NC362i Integrated DP Gigabit Server Adapter #2

      1...........................Software Loopback Interface 1

    ===========================================================================

     

    IPv4 Route Table

    ===========================================================================

    Active Routes:

    Network Destination        Netmask                Gateway           Interface            Metric

    0.0.0.0                              0.0.0.0                  77.89.128.97     77.89.128.108    266

    10.100.0.0                       255.255.0.0           10.200.1.191    10.200.1.5           11

    10.200.0.0                       255.255.0.0           On-link              10.200.1.5           266

    10.200.1.5                       255.255.255.255   On-link              10.200.1.5           266

    10.200.255.255               255.255.255.255   On-link              10.200.1.5           266

    77.89.128.96                   255.255.255.224   On-link              77.89.128.108     266

    77.89.128.108                 255.255.255.255   On-link              77.89.128.108     266

    77.89.128.123                 255.255.255.255   On-link              77.89.128.108     266

    77.89.128.124                 255.255.255.255   On-link              77.89.128.108     266

    77.89.128.125                 255.255.255.255   On-link              77.89.128.108     266

    77.89.128.126                 255.255.255.255   On-link              77.89.128.108     266

    77.89.128.127                 255.255.255.255   On-link              77.89.128.108     266

    127.0.0.0                         255.0.0.0               On-link              127.0.0.1             306

    127.0.0.1                         255.255.255.255   On-link              127.0.0.1             306

    127.255.255.255             255.255.255.255   On-link              127.0.0.1             306

    224.0.0.0                         240.0.0.0               On-link              127.0.0.1             306

    224.0.0.0                         240.0.0.0               On-link              10.200.1.5           266

    224.0.0.0                         240.0.0.0               On-link               77.89.128.108    266

    255.255.255.255             255.255.255.255   On-link              127.0.0.1             306

    255.255.255.255             255.255.255.255   On-link              10.200.1.5           266

    255.255.255.255             255.255.255.255   On-link              77.89.128.108     266

    ===========================================================================

    Persistent Routes:

      Network Address          Netmask           Gateway Address   Metric

       0.0.0.0                           0.0.0.0             77.89.128.97            Default

       10.100.0.0                     255.255.0.0     10.200.1.191            1

    ===========================================================================

     

    IPv6 Route Table

    ===========================================================================

    Active Routes:

     If Metric Network Destination      Gateway

      1    306 ::1/128                  On-link

      1    306 ff00::/8                 On-link

    ===========================================================================

    Persistent Routes:

      None

     

    I can’t see anything wrong with the TMG/UAG configuration and the routing table looks correct to me.

     

    Has anyone else seen this problem as currently it looks like a bug to me?

     

    Tuesday, February 22, 2011 2:52 PM

Answers

  • Hi,

    I'm marking your question as answered, even though it hasn't been. It appears no one has been able to provide an answer. If the topic is still a concern, I would suggest you open a support case with Microsoft CSS, and an engineer will help you investigate the issue.


    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Tuesday, May 17, 2011 10:53 PM
    Tuesday, May 17, 2011 10:53 PM

All replies

  • Hi,

    I'm marking your question as answered, even though it hasn't been. It appears no one has been able to provide an answer. If the topic is still a concern, I would suggest you open a support case with Microsoft CSS, and an engineer will help you investigate the issue.


    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Tuesday, May 17, 2011 10:53 PM
    Tuesday, May 17, 2011 10:53 PM
  • Hello, I have exactly the same problem. Did you hear anything that was helpful? I could speed up the internal AD authentication, by removing the default gateway from the external interface. The UAG is behind another reverse proxy... Regards Mr. F.
    Wednesday, September 7, 2011 9:22 PM
  • I am experiencing exactly the same issue with TMG at one of our customers. All routes, DNS name resolution and such are ok.

    In this case the the external network interface and VPN interface of TMG is trying to communicate with LDAP to internal Domain Controllers. It should use the internal network interface. Very weird.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Thursday, August 2, 2012 9:38 AM