Anonymous_User Absent Member.
Absent Member.
1596 views

ndstrace showing error code -5875

Hi All

Recently i have upgraded the e directory to 8.8 SP8 patch and after upgrade in ndstrace started getting the error.

TLS handshake failed on connection , err = -5875

All the certificates are valid still getting the error .

Any pointers for resolving the error ? Let me know if any information is required.
Labels (1)
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: ndstrace showing error code -5875

On Tue, 15 Mar 2016 13:06:02 +0000, abhishekpund wrote:

> Hi All
>
> Recently i have upgraded the e directory to 8.8 SP8 patch and after
> upgrade in ndstrace started getting the error.
>
> TLS handshake failed on connection , err = -5875
>
> All the certificates are valid still getting the error .


Which trace options do you have turned on? What are these connections
from?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: ndstrace showing error code -5875

That error shows up all of the time, and has for years, so unless you are
having a symptom along with that where connections are not working, it is
probably nothing.

If you are having issues with connections, chances are good that the
client and server have incompatible SSL/TLS versions or ciphersuites as
those have been tightened down in recent years all across the industry. A
LAN/wire trace would likely show more, in that case. Knowing more about
the connections (clients) would help too when those traces are posted
somewhere.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ndstrace showing error code -5875

abhishekpund wrote:

>
> Hi All
>
> Recently i have upgraded the e directory to 8.8 SP8 patch and after
> upgrade in ndstrace started getting the error.
>
> TLS handshake failed on connection , err = -5875
>
> All the certificates are valid still getting the error .
>
> Any pointers for resolving the error ? Let me know if any information
> is required.


This error is thrown when the LDAP client doesn't trust the cert issuer
so most likely you have a bunch of LDAP clients out there querying
eDirectory but never succeed in building up a connection. You can
either try to puzzle the LDAP trace together to get the source IP or
you can just run:

tcpdump -s0 -w myLDAPpacketTrace.cap -i any port 636

Open the cap file in wireshark and look for 'Unknown CA'

--
Cheers,
Edward
0 Likes
neha_gupta Absent Member.
Absent Member.

Re: ndstrace showing error code -5875


Edward van der Maas;266188 Wrote:
> abhishekpund wrote:
>
> >
> > Hi All
> >
> > Recently i have upgraded the e directory to 8.8 SP8 patch and after
> > upgrade in ndstrace started getting the error.
> >
> > TLS handshake failed on connection , err = -5875
> >
> > All the certificates are valid still getting the error .
> >
> > Any pointers for resolving the error ? Let me know if any information
> > is required.

>
> This error is thrown when the LDAP client doesn't trust the cert issuer
> so most likely you have a bunch of LDAP clients out there querying
> eDirectory but never succeed in building up a connection. You can
> either try to puzzle the LDAP trace together to get the source IP or
> you can just run:
>
> tcpdump -s0 -w myLDAPpacketTrace.cap -i any port 636
>
> Open the cap file in wireshark and look for 'Unknown CA'
>
> --
> Cheers,
> Edward

Hi,

The same issue we are facing is for one of the Read/Write Replica added
in the Master Replica
- The Client server authentication is working against other replica
servers
- The issue started occuring only for one server where eDirectory was
recently reinstalled and added to existing tree.

Can someone please help for the resolution steps to the problem:
- is it a certificate level issue?
- what are validation checks after eDir reconfiguration and adding to
existing tree?

Response awaited. Thanks!


--
neha_gupta
------------------------------------------------------------------------
neha_gupta's Profile: https://forums.netiq.com/member.php?userid=1249
View this thread: https://forums.netiq.com/showthread.php?t=55552

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: ndstrace showing error code -5875

On 03/22/2016 06:16 AM, neha gupta wrote:
>
> The same issue we are facing is for one of the Read/Write Replica added
> in the Master Replica


This terminology does not make sense; you would not add a read/write
replica to a master replica, as those replicas for a given partition would
be on separate boxes. You could add a parent or child partitions'
replica, or you could convert from a read/write to Master, but not add as
you described. Please help us understand what you did, though in the end
that likely does not matter much when it comes to the PKI infrastructure,
other than to note that it's a good practice for server objects to hold
copies of themselves.

> - The Client server authentication is working against other replica
> servers
> - The issue started occuring only for one server where eDirectory was
> recently reinstalled and added to existing tree.
>
> Can someone please help for the resolution steps to the problem:
> - is it a certificate level issue?
> - what are validation checks after eDir reconfiguration and adding to
> existing tree?


A -5875 does not, by itself, mean anything other than the connection
closed. It can be seen when there are certificate problems, but also when
there are no certificate problems on a disconnect, so unless you have a
bit more on which to base troubleshooting, we need to get more information.

Taken from my server a few minutes ago when closing a connection using SSL
that was previously crated successfully:


964404992 LDAP: [2016/03/22 7:22:58.941] Monitor 0x397ba700 initiating
close for connection 0xcdaf180
948655872 LDAP: [2016/03/22 7:22:58.941] Server closing connection
0xcdaf180, socket error = -5875


This can be duplicated by connecting with ldapmodify, then hitting Ctrl+c
to end the connection.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.