Category Archives: SonicWall

SonicWall LDAP bind Error – Remote Authentication – Bind to LDAP server failed

We’ve setup one of our client’s Sonicwall TZ series routers to allow LDAP authentication for VPN connections. Occasionally we were getting alerts from the SonicWall with the following content:

Subject: *** Alert from SonicWALL *** [SONICWALL NAME]

12/14/2010 17:05:22.544 - Error - Remote Authentication - Bind to LDAP server failed - - Credentials not valid at LDAP server - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 775, v1772

This email was generated by: SonicOS Enhanced 5.6.0.3-40o (MAC-ADDRESS-NUMBER)

Of course we’d log in and check it out, we’d hop over to the LDAP section, check to make sure that the user account, password, search context and such were proper, and they were. We’d then run a test bind, and of course it would work fine. It stumped us for a few days but we were eventually able to figure out that the account that the SonicWall was using to bind to the LDAP server was getting locked out due to some other non SonicWall related event, and of course when the account was locked out the SonicWall could not perform an LDAP query, and the users could not VPN in. Once the lockout period expired the SonicWall was again able to perform queries, which explained why when we logged in to test, it was working properly.

The moral of the story? Make sure that the account you are using for LDAP on the SonicWall isn’t used for anything else, so that the chance of someone locking out the service account is low, or you could also remove it’s lockout policy and apply a very strong password.

Mac OS 10.6 Clients unable to resolve DNS on Net Extender SSL VPN

Over the last few days I’ve been running into a problem with Mac OS 10.6 clients and the SonicWall SSL VPN client, NetExtender. The client computers were able to resolve DNS properly prior to installation. The problem didn’t appear until after the software was connected to a endpoint, and then disconnected. Once the connection was ended, boom, no DNS resolution.

I had already updated the endpoint device, a SRA 1200, and the NetExtender was whatever version came with SRA 1200 firmware SonicOS SSL-VPN 4.0.0.3-20sv, which was the most recent firmware available at the time of writing.

I started with a review of the release notes of the SonicWall firmware, which mention a problem with Mac OS prior to version 10.6.5 and NetExtender. I updated one of the client Macs to 10.6.5, but still no luck.

A call to SonicWall ended up with them giving me a new version of the NetExtender software for the Mac, version 5.0.680. I updated the first client and Success! I was able to connect, disconnect, and then continue to resolve DNS.

I thought my problems were over until I re-connected to test that the VPN was still working. Now on version 5.0.680 I was unable to resolve DNS on the other end of the VPN tunnel when connected. I could resolve DNS on my local subnet, and on the internet, but I was unable to resolve anything on the internal DNS servers at the main office that I was connecting to. I verified that I could telnet to port 53 across the tunnel, a NSlookup test proved that I the records I was looking for did exist.

I flushed the dns cache, I verified the /etc/resolv.conf file had the two DNS servers that the NetExtender had placed in there when I connected, and I verified with telnet that a firewall was not blocking DNS to the DNS servers.

I called SonicWall back and after much discussion they recommended that we roll back to version 5.0.679. I downloaded the file, removed the current NetExtender and then attempted to re-install the version 5.0.679. It would not allow me to re-install, stating that a more current version was already installed.

I was able to bypass this error by performing the following:

Drop to Command line and enter the following commands:

sudo rm /private/var/db/receipts/com.sonicwall.NetExtender.bom
sudo rm /private/var/db/receipts/com.sonicwall.NetExtender.plist
sudo rm /etc/ppp/sslvpn.*

I then rebooted the Mac and was able to install NetExtender version 5.0.679. Once installed I tested again. I was able to connect and resolve DNS, good. I was able to disconnect and continue to resolve DNS, even better. And Finally I was able to connect again and continue to resolve DNS still.  Version 5.0.679 on Mac OS 10.6.5 was what ended up working for me.

I’ve attached version 5.0.679 for download¬†if you’re experiencing the same problem. NetExtender.MacOSX.5.0.679

Update 1: Upon further review, it appears that NetExtender version 5.0.679 breaks the bonjour protocol on the Macs that it is installed on. To circumvent this problem we actually went back to version 5.0.680, and statically configured a hosts file for all of the major resources on the other end of the VPN tunnel. Click Here to see how to manually edit a hosts file on a Mac. You can download version 5.0.680 here: NetExtender.MacOSX.5.0.680

Update 2: Thomas (see below) pointed out that it doesn’t matter what’s in the resolv.conf file as Mac OS 10.6 and higher no longer uses this file to determine DNS servers. My writing about about double checking this file will have no impact on this particular problem. The rest of the article will still help you work around the problem though, so good luck!