AHA Audit Failed: LDAP Connectivity


Description

Servicenow internal monitoring has detected an issue with your secondary server (fail-over nodes) for your production instance. The alert report that some LDAP servers connections are failing.
The impact of this alert, if not addressed, is that ServiceNow will be unable to fail-over your instance for any reason to maintain Advanced High Availability (AHA)

AHA means the test was perfrom on the secundary server

Cause

Resolution

Most AHA LDAP alerts are related to firewall settings overlooked when setting the LDAP servers. Please note the LDAP connectivity tests from secondary (fail-over) servers are not available for administrators or users, as they are only connected to the primary servers (they are not able to test on the secondary nodes)

To avoid or resolve the secondary servers LDAP connection errors, we recommend the following checklist:

  1. For each LDAP server registered in the instance, validate the LDAP Server is up and running. You might need to validate with your LDAP administrator to confirm any outage.

  2. For each LDAP server registered in the instance, ensure you have added both primary and secondary IP ranges. You can find the current ranges and the IP addresses for your instance (primary and secondary) by going to "My IP Information" in Hi.service-now.com. This is documented in the KB0538621.  Ensure to set all (check My IP Information for your production instances)
    a. "Source address used for integrations into customer network with NO VPN",
    b. "Source address used for integrations into customer network with VPN" and
    c. "The address to which your instance resolves".

    IMPORTANT: Please contact your network administrator to ensure that the IP addresses of your instance are properly inclusion listed to connect to each of the required LDAP servers.

  3. If you have a specific LDAP server reported as failing, ensure to contact your LDAP administrator to validate an outage. Otherwise, it will indicate a connectivity problem. Confirm the IP addresses ranges have been setup correctly for those LDAP servers.

  4. If your LDAP server is using a mid-server, consider increasing the read timeout.  More information available here: Define an LDAP server
  5. If you are using VPN, please ensure the VPN connections are up and running.

If the issue is due to a planned Maintenance please let the assigned Engineer assigned to the Case know but do not close the Case otherwise a new alert would be automatically created by our monitoring system