Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » no local login to Kerio while internet down
  •  
BePo

Messages: 12
Karma: 0
Send a private message to this user
Last Sunday our internet connection went down - hardware failure.
On Monday morning nobody was able to logon - we tried both: Outlook client and web interface. No logon was possible.

Right after return of internet connection we could logon.

In addition I found some strange messages in Warning Logs:
[05/May/2013 19:33:05] License update failed: Automatic license update failed during attempt to contact registration server: (11) Client-Server communication error.: Couldn't resolve host 'register.kerio.com'

several times repeated (probably on each logon attempt):
[06/May/2013 09:33:43] LDAP: Cannot search in dc=DOMAIN,dc=lan on LDAP server 192.168.144.200 192.168.144.200, error: Can't contact LDAP server (code -1)

Kerio Connect 8.0.2
OS CentOS 6.3
Kerio is located in DMZ
Name resolution is performed by AD=LDAP server
LDAP server is specified by address and not by name.

Does anyone know how to logon while internet is down?
Is this caused by Kerio or by MS Actice Derectory?

I see no reason why this happed.
Any support is appreciated.
  •  
UnifiedTechs-Brian

Messages: 171
Karma: 15
Send a private message to this user
Quote:
Kerio is located in DMZ


Is the DMZ a separate port on your router/firewall? and is your router/firewall the hardware failure you mentioned? If so then that explains your issue.

I have also seen some routers/firewalls act strangely when passing traffic between interfaces if the WAN interface goes down from a modem failing.

If not can you give more details about your setup and what hardware failed and I will try and help further.

- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
  •  
BePo

Messages: 12
Karma: 0
Send a private message to this user
Thank you for the the reply.

Here are some technical details:
fire wall:
Endian UTM Mercury (derivate from IPcop)
4 interfaces - one LAN - one DMZ - one WLAN - one WAN

WAN:
leased circuit with hardware router - glass fiber
There is no modem connected to fire wall - just a real hardware box with LAN interface.
I have to specify on WAN interface all IPs of our internet network /27 and a default gateway. Name resolution is done by our internal AD.

hardware failure: the remote station to our router had problems and so the link went down.

It was possible to connect (ssh) to Kerio server from LAN.
I could also try to resolve a host from Kerio machine - just receiving "host could not be resolved".
So I assume the NICs on fire wall were working fine.

A few days before I rebooted the AD and so the LDAP was offline.
A login attemp produces following different message in log:
[02/May/2013 13:09:26] Can't bind to LDAP server 192.168.144.200. ldap_result() failed. User name: uid=USER<_at_>DOMAIN.lan,cn=users,dc=DOMAIN,dc=lan. Err. code: -5, message: Timed out, LDAP srv. message: (NULL). ThreadId: 10378

Additional investigations:
In addition I opened all ports from DMZ to LAN - situation stayed the same.
I also checked system times on both machines - there was no time gap.
All machines are using NTP to set system time.

And right after return of internet connection we could logon to Kerio Connect.

I hope this additional information is helpful.

  •  
UnifiedTechs-Brian

Messages: 171
Karma: 15
Send a private message to this user
Do the clients address the Connect server using your public IP or a private IP in the DMZ?

- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
  •  
BePo

Messages: 12
Karma: 0
Send a private message to this user
The clients in LAN connect to Kerio with private address.
The clients in internet are using public address.

This is realized by two different name server. Public name server is located outside of office and local name server provides private address.

We also tried to logon on web interface with IP address - same result - no logon possible.
  •  
scottwilkins

Messages: 652
Karma: 7
Send a private message to this user
Can you login to admin via the local IP? https://127.0.0.1:4040 on the server itself? If so, try a mail login there too at http://127.0.0.1 If that works, then the software firewall on the server may need adjusting.

[Updated on: Thu, 09 May 2013 18:46]

  •  
BePo

Messages: 12
Karma: 0
Send a private message to this user
scottwilkins wrote on Thu, 09 May 2013 18:45
Can you login to admin via the local IP? https://127.0.0.1:4040 on the server itself? If so, try a mail login there too at http://127.0.0.1 If that works, then the software firewall on the server may need adjusting.


I did not check to logon locally but here is a list of tests:

From LAN:
Logon with user defined in Kerio: possible
Logon with user defined in Active Directory / LDAP : not possible
Logon with Admin Account (locally defined): possible

We use mixed authentication: 70% from LDAP 30% from local db in Kerio.

So I assume this behavior is caused by problems with AD / LDAP or by Kerio having problems to connect / logon to LDAP server.
Previous Topic: Attachment uploader not working on new webmail
Next Topic: Migrated now getting errors in log.
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Aug 18 14:52:00 CEST 2017

Total time taken to generate the page: 0.00434 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.