APs as radius servers losing connection

  • 1
  • Question
  • Updated 5 years ago
  • Answered
We've been working with tech support on this issue, but the ticket has stalled. Figured I would try the community and see if anyone else has seen this error that we have been seeing in our logs:

"Feb 26 08:05:30 ap-xxxxxx-1.xxx.local radiusd[2594]: [ldap-xxxxxx_xxxx-0] ldap_search() failed: LDAP connection lost."

We have users setup in AD and two APs acting as Radius servers. One primary and one as the backup. Even with this error showing up in the logs, those of us testing authentication using .1x have no issue connecting to the APs with our credentials. We set everything up verbatim from the Radius Authentication Config Guide. Does anyone have any insight as to where we could start to look for this issue?

Thanks!
Photo of waz@exp

waz@exp

  • 9 Posts
  • 2 Reply Likes

Posted 5 years ago

  • 1
Photo of Tash Hepting

Tash Hepting

  • 55 Posts
  • 29 Reply Likes
Is the message always from the same AP, or does it bounce back and forth between both?
Photo of waz@exp

waz@exp

  • 9 Posts
  • 2 Reply Likes
The message is always from the same AP, which is setup as the primary. We reassigned the role of the primary radius server to a different AP just to rule out any funkiness with the AP and the message followed the reassignment to the new primary.
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
You could try running a "_debug radiusd ldap-libs" and then a "show log buff". It might be that you get a reason in the debug.
Photo of waz@exp

waz@exp

  • 9 Posts
  • 2 Reply Likes
Gary, thanks for the help and idea of a way to troubleshoot this. We turned on debug for the AP and found that the error was being caused after an ldap_search was initiated. The connection fails, then it attempts to reconnect. I'm not 100% sure how to interpret the output that we see, but at least we have something and can see the cause.
Photo of waz@exp

waz@exp

  • 9 Posts
  • 2 Reply Likes
Basically set the APs syslog level to debug, and during this time, I was able to see exactly what was happening when we getting this message.

Long and short, is that there is a connection idle timeout value for LDAP via Server 2008 that is set at 15 mins. So User A would try to auth, get the error, and then it would reestablish the connection to LDAP. User B would come in 10 mins later and have no problem connecting because the idle timeout of 15 mins had not passed. Then User C would try an hour after User B, well past the 15 min idle connection timeout, and would have the same result as User A and receive the error. Basically it's a non-issue, other than seeing that error.

Thanks for everyone's help and hopefully this may help someone else out at some point.