Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎11-20-2015

ClearPass joining AD timeout problem

Hi all,

 

Hope someone will be able to point me in right direction. We are trying to join customer's ClearPass server to an ADs. Joining it to the first one went perfectly OK (in scenario where both boxes have interfaces on the same subnet). When trying to join second AD (in scenario where there is a firewall between them, **but not saying that this is firewall issue, just explaining setup!**) we run into problems. ClearPass attempts to join new AD and fails showing this message:

 

"Adding host to AD domain...
INFO - Fetched REALM 'XXXXX.COM' from domain FQDN
'ltcs.XXXXX.com'
INFO - Fetched the NETBIOS name 'XXXXX'
INFO - Creating domain directories for 'XXXXX'
Enter CPPMService's password:
cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \netlogon failed
with error NT_STATUS_IO_TIMEOUT
libnet_join_ok: failed to get schannel session key from server
ltcs.XXXXX.com for domain XXXXX. Error was NT_STATUS_IO_TIMEOUT
Failed to join domain: failed to verify domain membership after
joining: NT_STATUS_IO_TIMEOUT
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'XXXXX'
ERROR - CPPM004 failed to join the domain XXXXX.COM with
domain controller as ltcs.XXXXX.com
Join domain failed"

 

Packet capture on firewall shows traffic between nodes passing through (at least the one that is allowed by initial request: kerberos, Active Directory, ms-ds-smb, mspc, netbios-s).

 

Any thoughts are more than welcome. Thanks, 

 

NesaM

Guru Elite
Posts: 20,391
Registered: ‎03-29-2007

Re: ClearPass joining AD timeout problem

Make sure that the time on the ClearPass box and the domain box are the same.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 19
Registered: ‎11-20-2015

Re: ClearPass joining AD timeout problem

Thanks Colin,

 

Will check and confirm on Monday.

 

NesaM

Occasional Contributor II
Posts: 19
Registered: ‎11-20-2015

Re: ClearPass joining AD timeout problem

Hi Colin,

 

TIme checked on both boxes, and it is in sync. Any thoughts where to look next? Thanks.

 

 

Regards,

NesaM

MVP
Posts: 4,094
Registered: ‎07-20-2011

Re: ClearPass joining AD timeout problem

Can you do an NSLOOKUP to that domain controller from ClearPass CLI
network nslookup

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,094
Registered: ‎07-20-2011

Re: ClearPass joining AD timeout problem

Can you do an NSLOOKUP to that domain controller from ClearPass CLI
network nslookup

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 19
Registered: ‎11-20-2015

Re: ClearPass joining AD timeout problem

Hi Victor,

 

Checked and it is coming back with the server IP. I asked customer to double-confirm if all the right ports are opened on fw, and will try to get hold of Event Log from AD controller.

 

NOTE: Case opened now with TAC, will keep you updated on what it was (though it must be something silly)

 

Thanks,

NesaM

Occasional Contributor II
Posts: 19
Registered: ‎11-20-2015

Re: ClearPass joining AD timeout problem

Right, problem was after all related to Palo Alto. Original request was to allow these applications:

kerberos, Active Directory,ms-ds-smb, msrpc, netbios-ss, ldap

When observing traffic going through firewall no traffic was dropped. However, someone from that team noticed that MS logon protocol was not added by default (though this was apparently expected when you allow Active Directory on PA).

 

After adding MS logon all clicked nicely, and we now have happy customer. Thanks everyone who contributed with suggestions.

 

 

NesaM

Search Airheads
Showing results for 
Search instead for 
Did you mean: