Wireless Access

Reply
Occasional Contributor I
Posts: 9
Registered: ‎10-02-2013

NT STATUS CONNECTION RESET Clearpass

We have been trying to reconnect our ClearPass server to our AD but we keep getting the same issue. We called TAC but they are stumped as well. Our username and password for the domain are correct, we were able to disconnect the ClearPass server from the AD. Has anyone else come across this issue?

here are a couple of screen captures

error 1.PNG

 

error2.PNG

MVP
Posts: 4,227
Registered: ‎07-20-2011

Re: NT STATUS CONNECTION RESET Clearpass

Can you do an "network nslookup -q host" to that domain? from ClearPass CLI

 

Also is your  clock set correctly ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 8
Registered: ‎07-31-2014

Re: NT STATUS CONNECTION RESET Clearpass

 I have the same problem, but I failed to link it to AD; you could fix.
 
Fredy Gualdron
MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: NT STATUS CONNECTION RESET Clearpass

[ Edited ]

if you have the exact same problem fgualdron, then answer the questions posted above you.

 

also for mmurphy, is this solved for you?

Contributor II
Posts: 38
Registered: ‎07-28-2014

Re: NT STATUS CONNECTION RESET Clearpass

I'm also having the same problem joining Clearpass to the domain.

ClearPass Policy Manager 6.5.1.72346 on CP-VA-25K platform

The domain controller is the primary DNS server.

The clock is set to NTP using the domain controller as the NTP server.  Double-checked and the time between the two is spot on.

 

NSlookup does return the domain controller:

[appadmin@cppm01]# network nslookup -q host dc01.local.customer.ca
unknown query type: HOST
Server: 10.10.10.3
Address: 10.10.10.3#53

Name: dc01.local.customer.ca
Address: 10.10.10.3

 

We are using a Domain Admin account.   But no matter what we try, the results are the same:

 

Adding host to AD domain...
INFO - Fetched REALM 'LOCAL.CUSTOMER.CA' from domain FQDN
'dc01.local.customer.ca'
INFO - Fetched the NETBIOS name 'CC'
INFO - Creating domain directories for 'CC'
Enter da1's password:
Failed to join domain: failed to lookup DC info for domain
'LOCAL.CUSTOMER.CA' over rpc: NT_STATUS_CONNECTION_RESET
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'CC'
ERROR - cppm01 failed to join the domain LOCAL.CUSTOMER.CA
with domain controller as dc01.local.customer.ca
Join domain failed

 

The only thing I can't do is use the default "Administrator" account because they have renamed it on their domain.

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: NT STATUS CONNECTION RESET Clearpass

[ Edited ]

[edit] please start a new thread for a new question.

 

no direct experience with this error, but if i google for that specific error is see several times solutions like this come up

 

http://www.linuxquestions.org/questions/linux-server-73/connecting-samba-to-a-windows-2012r2-domain-4175485746/

 

https://bugs.pcbsd.org/issues/8359

 

you could have a look at those. also making a packet capture during the join and looking if there are better hints there might help.

 

 

Contributor II
Posts: 38
Registered: ‎07-28-2014

Re: NT STATUS CONNECTION RESET Clearpass

Thanks for the reply.  I did see that Samba article and forwarded it to the customer, but they are completely opposed to modifying AD.  Their opinion is that too many things depend on AD that they can't risk causing issues.

I would have hoped that Aruba would have tested Clearpass on AD 2012 before releasing it to the wild.  I have a case open with TAC so hopefully they will come up with a solution.

Contributor II
Posts: 38
Registered: ‎07-28-2014

Re: NT STATUS CONNECTION RESET Clearpass

More digging with TAC confirms that Clearpass 6.5.x is running SMB version 3.6.2.x, so the above links about enabling SMB v. 1 on the domain won't work anyway.  Important for anyone else out there who may try it as a possible solution.

 

 

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: NT STATUS CONNECTION RESET Clearpass

ok that is good to know, will prevent people from trying something that doesn't work.

 

i would then fallback to making a packet capture and seeing if you can find more information there. pehaps the server sends something with that message that point to a cause.

Contributor II
Posts: 38
Registered: ‎07-28-2014

Re: NT STATUS CONNECTION RESET Clearpass

Microsoft support came through with a Registry fix which when applied, enabled the unit to be joined to the domain, with a compromise though.
Their testing identified that the system is using SMB1 (in contradiction with what Aruba TAC told us) to communicate to the Domain Controller, and this registry setting lowers our domain security a bit by allowing this.

It does require a server reboot on the DC. Any communication coming from the ClearPass unit, which is using SMB1, hitting the other 3 DC’s will fail. The default domain controller policy for Network Security is still set to Send NTLMv2 response only. Refuse LM.

This is the Reg Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DependOnService

Original Value: SamSS Srv2
Change to : SamSS Srv2 Srv

(where Srv2=SMB2 and Srv=SMB1)

The customer is asking Aruba to change Clearpass to use SMB2 because they aren't happy about lowering the domain security. SMB1 is +10yrs old.

Search Airheads
Showing results for 
Search instead for 
Did you mean: