Ask Your Question

Revision history [back]

Mangled LDAP response

I have a domain connected client that accesses 2 Windows DCs via site to site VPN. Having issues where the client cannot complete LDAP requests to access network shares etc. When running an LDAP query (via PortQry) in Wireshark for the affected client to one of the DCs I get output below. However if I direct the query to the other DC on the same remote subnet, it works fine. To further complicate this if I perform the same query from another client at the same site over the VPN to both DCs, it works fine.

I've tuned/verified the operation of the site to site VPN (MTU size etc) and given I have a client that works fine to both DCs so I don't believe it's the VPN I've check both the affected client and DC to ensure it's not using an odd MTU - both are as expected I've enabled/disabled both Windows Firewall and 3rd party AVs on both sides - no change

Can anyone suggest anything further to look at or give a fully explanation of the output attached?

Frame 642: 385 bytes on wire (3080 bits), 385 bytes captured (3080 bits) on interface \Device\NPF_{AA02D7D0-E0EE-4000-A447-8FB420844136}, id 0 Ethernet II, Src: ZyxelCom_5f:8c:3f (xx:xx:xx:xx:xx:xx), Dst: Dell_11:7e:f9 (xx:xx:xx:xx:xx:xx) Internet Protocol Version 4, Src: 192.168.xx.xx, Dst: 192.168.xx.xx 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x02 (DSCP: CS0, ECN: ECT(0)) Total Length: 371 Identification: 0x0e26 (3622) 010. .... = Flags: 0x2, Don't fragment ...0 0000 0000 0000 = Fragment Offset: 0 Time to Live: 124 Protocol: TCP (6) Header Checksum: 0x3bf7 [validation disabled] [Header checksum status: Unverified] Source Address: 192.168.xx.xx Destination Address: 192.168.xx.xx Transmission Control Protocol, Src Port: 389, Dst Port: 10265, Seq: 2683, Ack: 74, Len: 331 Source Port: 389 Destination Port: 10265 [Stream index: 3] [Conversation completeness: Complete, WITH_DATA (47)] [TCP Segment Len: 331] Sequence Number: 2683 (relative sequence number) Sequence Number (raw): 1568904190 [Next Sequence Number: 3014 (relative sequence number)] Acknowledgment Number: 74 (relative ack number) Acknowledgment number (raw): 950015891 0101 .... = Header Length: 20 bytes (5) Flags: 0x018 (PSH, ACK) Window: 514 [Calculated window size: 131584] [Window size scaling factor: 256] Checksum: 0x92e3 [unverified] [Checksum Status: Unverified] Urgent Pointer: 0 [Timestamps] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 639] [The RTT to ACK the segment was: 0.040845000 seconds] [iRTT: 0.036853000 seconds] [TCP Analysis Flags] [Expert Info (Warning/Sequence): Previous segment(s) not captured (common at capture start)] [Previous segment(s) not captured (common at capture start)] [Severity level: Warning] [Group: Sequence] TCP payload (331 bytes) [PDU Size: 48] [PDU Size: 54] [PDU Size: 51] Lightweight Directory Access Protocol LDAPMessage BER Error: Wrong field in SEQUENCE: expected class:UNIVERSAL(0) tag:2(INTEGER) but found class:UNIVERSAL(0) tag:17 [Expert Info (Warning/Malformed): BER Error: Wrong field in SEQUENCE: expected class:UNIVERSAL(0) tag:2(INTEGER) but found class:UNIVERSAL(0) tag:17] [BER Error: Wrong field in SEQUENCE: expected class:UNIVERSAL(0) tag:2(INTEGER) but found class:UNIVERSAL(0) tag:17] [Severity level: Warning] [Group: Malformed] [Malformed Packet: LDAP] [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)] [Malformed Packet (Exception occurred)] [Severity level: Error] [Group: Malformed] Lightweight Directory Access Protocol LDAPMessage BER Error: Sequence expected but class:UNIVERSAL(0) Constructed tag:24 was unexpected [Expert Info (Warning/Malformed): BER Error: Sequence expected but class:UNIVERSAL(0) Constructed tag:24 was unexpected] [BER Error: Sequence expected but class:UNIVERSAL(0) Constructed tag:24 was unexpected] [Severity level: Warning] [Group: Malformed] Lightweight Directory Access Protocol LDAPMessage BER Error: Sequence expected but class:UNIVERSAL(0) Constructed tag:17 was unexpected [Expert Info (Warning/Malformed): BER Error: Sequence expected but class:UNIVERSAL(0) Constructed tag:17 was unexpected] [BER Error: Sequence expected but class:UNIVERSAL(0) Constructed tag:17 was unexpected] [Severity level: Warning] [Group: Malformed] [Malformed Packet: LDAP] [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)] [Malformed Packet (Exception occurred)] [Severity level: Error] [Group: Malformed]

click to hide/show revision 2
None

updated 2023-07-11 10:35:38 +0000

grahamb gravatar image

Mangled LDAP response

I have a domain connected client that accesses 2 Windows DCs via site to site VPN. Having issues where the client cannot complete LDAP requests to access network shares etc. When running an LDAP query (via PortQry) in Wireshark for the affected client to one of the DCs I get output below. However if I direct the query to the other DC on the same remote subnet, it works fine. To further complicate this if I perform the same query from another client at the same site over the VPN to both DCs, it works fine.

I've tuned/verified the operation of the site to site VPN (MTU size etc) and given I have a client that works fine to both DCs so I don't believe it's the VPN I've check both the affected client and DC to ensure it's not using an odd MTU - both are as expected I've enabled/disabled both Windows Firewall and 3rd party AVs on both sides - no change

Can anyone suggest anything further to look at or give a fully explanation of the output attached?

Frame 642: 385 bytes on wire (3080 bits), 385 bytes captured (3080 bits) on interface \Device\NPF_{AA02D7D0-E0EE-4000-A447-8FB420844136}, id 0
Ethernet II, Src: ZyxelCom_5f:8c:3f (xx:xx:xx:xx:xx:xx), Dst: Dell_11:7e:f9 (xx:xx:xx:xx:xx:xx)
Internet Protocol Version 4, Src: 192.168.xx.xx, Dst: 192.168.xx.xx
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x02 (DSCP: CS0, ECN: ECT(0))
    Total Length: 371
    Identification: 0x0e26 (3622)
    010. .... = Flags: 0x2, Don't fragment
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 124
    Protocol: TCP (6)
    Header Checksum: 0x3bf7 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.xx.xx
    Destination Address: 192.168.xx.xx
Transmission Control Protocol, Src Port: 389, Dst Port: 10265, Seq: 2683, Ack: 74, Len: 331
    Source Port: 389
    Destination Port: 10265
    [Stream index: 3]
    [Conversation completeness: Complete, WITH_DATA (47)]
    [TCP Segment Len: 331]
    Sequence Number: 2683    (relative sequence number)
    Sequence Number (raw): 1568904190
    [Next Sequence Number: 3014    (relative sequence number)]
    Acknowledgment Number: 74    (relative ack number)
    Acknowledgment number (raw): 950015891
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
    Window: 514
    [Calculated window size: 131584]
    [Window size scaling factor: 256]
    Checksum: 0x92e3 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 639]
        [The RTT to ACK the segment was: 0.040845000 seconds]
        [iRTT: 0.036853000 seconds]
        [TCP Analysis Flags]
            [Expert Info (Warning/Sequence): Previous segment(s) not captured (common at capture start)]
                [Previous segment(s) not captured (common at capture start)]
                [Severity level: Warning]
                [Group: Sequence]
    TCP payload (331 bytes)
    [PDU Size: 48]
    [PDU Size: 54]
    [PDU Size: 51]
Lightweight Directory Access Protocol
    LDAPMessage
        BER Error: Wrong field in SEQUENCE: expected class:UNIVERSAL(0) tag:2(INTEGER) but found class:UNIVERSAL(0) tag:17
            [Expert Info (Warning/Malformed): BER Error: Wrong field in SEQUENCE: expected class:UNIVERSAL(0) tag:2(INTEGER) but found class:UNIVERSAL(0) tag:17]
                [BER Error: Wrong field in SEQUENCE: expected class:UNIVERSAL(0) tag:2(INTEGER) but found class:UNIVERSAL(0) tag:17]
                [Severity level: Warning]
                [Group: Malformed]
[Malformed Packet: LDAP]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]
Lightweight Directory Access Protocol
    LDAPMessage
        BER Error: Sequence expected but class:UNIVERSAL(0) Constructed tag:24 was unexpected
            [Expert Info (Warning/Malformed): BER Error: Sequence expected but class:UNIVERSAL(0) Constructed tag:24 was unexpected]
                [BER Error: Sequence expected but class:UNIVERSAL(0) Constructed tag:24 was unexpected]
                [Severity level: Warning]
                [Group: Malformed]
Lightweight Directory Access Protocol
    LDAPMessage
        BER Error: Sequence expected but class:UNIVERSAL(0) Constructed tag:17 was unexpected
            [Expert Info (Warning/Malformed): BER Error: Sequence expected but class:UNIVERSAL(0) Constructed tag:17 was unexpected]
                [BER Error: Sequence expected but class:UNIVERSAL(0) Constructed tag:17 was unexpected]
                [Severity level: Warning]
                [Group: Malformed]
[Malformed Packet: LDAP]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]
Malformed]