Group Sync

12.7.1

Configuring AuthPoint for the first time using a trial license and I've got my LDAP External Identities and Gateway up and running, connected to AD and WG Cloud. Using the Logon App AuthPoint now sends push notifications when logging onto virtual or physical servers.

Problem I'm having is with the External Identities Group Sync telling me it Cannot connect to LDAP Source. When I use Check Connection for the LDAP External Identity it works fine.

ldapSync.application log files of failed sync:

2022-02-09 15:51:57 INFO [https-jsse-nio-9002-exec-10] c.w.a.p.a.l.s.a.g.s.GroupSynchronizationService - Sync Groups request received - LDAPId: 9373 - Request-Id:1-6204539c-25742feb67c811b143f41caf
2022-02-09 15:51:57 INFO [https-jsse-nio-9002-exec-10] c.w.a.p.a.l.s.b.s.l.LdapPaginatorResultService - Connecting to LDAP Source - LDAPId: 9373 - Request-Id:1-6204539c-25742feb67c811b143f41caf
2022-02-09 15:51:57 ERROR [https-jsse-nio-9002-exec-10] c.w.a.p.a.l.s.a.g.s.GroupSynchronizationService - Group sync failed - LDAPId: 9373 - Cause: 10.0.0.60:636 - Request-Id:1-6204539c-25742feb67c811b143f41caf

Any ideas?

It's usually something simple.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Logs suggest we're getting rejected by the server. If it's providing us an AcceptSecurityContext error, we'd generally log it. I'd suggest checking your Authentication logs in event viewer on whatever AD server AuthPoint is pointed at. If it's rejecting there should be more info on why there.

    -James Carson
    WatchGuard Customer Support

  • There are no Audit Failure logs on either DC, nor were there any Audit Success logs for the account created for the AuthPoint External Identity.

    Only when I logged onto a PC using the AuthPoint account did the event get logged on the DC.

    Also getting this error in the gateway.application log file:

    2022-02-14 00:00:24 INFO [task-scheduler-4] c.w.a.p.a.g.c.m.MqttConnectionFailedEventListener - Applying the heuristic for failed connection.
    2022-02-14 00:00:24 INFO [task-scheduler-4] c.w.a.p.a.g.c.m.MqttConnectionFailedEventListener - The agent is facing network issues. Continue the heuristic execution. Re-register attempt: 1, Connection attempt: 37, Last connection attempt: 1644825564586.
    2022-02-14 00:00:24 INFO [task-scheduler-4] c.w.a.p.a.g.c.m.IotHeuristicConnection - The agent was not able to keep a success connection. Connection Attempt: 38.
    2022-02-14 00:00:24 INFO [task-scheduler-4] c.w.a.p.a.g.c.m.MqttConnectionFailedEventListener - MQTT Connection Failed. The next connection attempt will be in 60000 milliseconds. Re-register attempt: 1, Connection attempt: 38, Last connection attempt: 1644825624607.
    2022-02-14 00:00:24 ERROR [task-scheduler-4] c.w.a.p.a.g.c.m.GatewayAgentConsumerInbound - Error connecting or subscribing to [listen/B4D6A0E3-C586-44BB-90C3-3CB6884EAB2E/authpoint/ACC-0091189]
    org.eclipse.paho.client.mqttv3.MqttException: MqttException

    One other odd thing is if I have both DC's IP's listed in the External Identity the test connection fails. If I have only one IP listed it's successful.

    Is there supposed to be a policy in the Firebox specifically for AuthPoint?
    Don't recall that in any documentation.

    Thanks,

    • Doug

    It's usually something simple.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    There are default proxy exceptions for AuthPoint, but no special rules. If the proxy exceptions have been removed. (It's just *.watchguard.com.) We only use the secondary if the primary is completely failed, so if that bit of communication is keeping the primary looking like it's online, that might be at least part of the issue.

    If you haven't done so, please ensure you're on the latest version of the gateway, as well. Some older versions will be unable to connect.

    -James Carson
    WatchGuard Customer Support

  • Hey James,

    Original gateway was on a Win 10 VM, so I downloaded the latest gateway from WG Cloud along with a new config file and installed on a Server 2019 VM and made it the primary gateway.
    All was good and the External Identity test was successful, but once again Group Sync fails.
    I've tried Domain Admin and Enterprise Admin accounts for the External Identity instead of a standard User account, and that still fails on the Group Sync.
    No Audit Failures logged in the DC Event Viewer either or anything different in the gateway ldap log files either.

    Maybe I should open a support ticket because I suck at this AuthPoint stuff.

    It's usually something simple.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @shaazaminator
    If you're still running into an issue, I'd suggest a ticket -- it's much easier to look at the logs there because you don't have to scrub through them and remove PII.

    When you create the case, select category "WatchGuard Endpoint Security (WES)" and you'll see authpoint under that. That'll ensure it's routed to the correct folks.

    -James Carson
    WatchGuard Customer Support

  • James,

    I did open a ticket and the issue is resolved.
    The support rep did everything I tried, but yet it happened to work for him.
    He claimed "it was the order he did things" just to make me feel better I think.
    Now I know how users feel when their problem is fixed the moment I stand next to them.
    Having SSL-VPN issues w/authpoint now, but I will create a new thread for that.

    • Doug

    It's usually something simple.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @shaazaminator I'm glad to hear they were able to help.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.