topic ASA LDAP Auth. ERROR: Authentication Rejected: Memory error in Network Access Control

ASA LDAP Auth. ERROR: Authentication Rejected: Memory error

John Butterfield — Mon, 11 Mar 2019 03:55:10 GMT

I had a working VPN with users authenticating via LDAP. One day it decided it did not want to work anymore. We are not aware of any changes to the ASA and the only thing that may have changed on the LDAP server is windows updates. One day this was working fine, and then it stopped and I have not been able to fix it.

The base DN, username, password, etc. nothting has changed. I verified all info is correct:

INFO: Attempting Authentication test to IP address <10.0.1.136> (timeout: 12 seconds)

[433] Session Start
[433] New request Session, context 0xca21bb58, reqType = Authentication
[433] Fiber started
[433] Creating LDAP context with uri=ldap://10.0.1.136:389
[433] Connect to LDAP server: ldap://10.0.1.136:389, status = Successful
[433] supportedLDAPVersion: value = 3
[433] supportedLDAPVersion: value = 2
[433] Binding as ASALDAP
[433] Performing Simple authentication for ASALDAP to 10.0.1.136
[433] LDAP Search:
        Base DN = [DC=pip,DC=local]
        Filter = [sAMAccountName=jbutterfield]
        Scope   = [SUBTREE]
[433] Request for jbutterfield returned code (1) Operations error
[433] Fiber exit Tx=275 bytes Rx=733 bytes, status=-1
[433] Session End
ERROR: Authentication Rejected: Memory error

Wireshark on the server indicates that bind is successful, but then:

LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1

But previous to that line it indicated:

LDAPMessage bindResponse(2) success

Any ideas?

aaa-server LDAPServerGroup protocol ldap

aaa-server LDAPServerGroup (inside) host 10.0.1.136

ldap-base-dn DC=pip,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=ASALDAP,CN=Users,DC=pip,DC=local

server-type microsoft

ldap-attribute-map LDAPMap

The following output is from AD Explorer. I logged into ADExplorer using ASALDAP user/pass. I browsed the directory and gathered this distinguished name.

CN=ASALDAP,CN=Users,DC=pip,DC=local

ASA LDAP Auth. ERROR: Authentication Rejected: Memory error

Jatin Katyal — Wed, 18 Sep 2013 22:08:27 GMT

CSCtc69310 LDAP authentication with Kerberos SASL fails with memory error

Symptom:

ASA configured to authenticate against LDAP server with Kerberos SASL fails.

"test aaa authentication" command shows "ERROR: Authentication Rejected: Memory error".

Conditions:

ASA with LDAP and Kerberos SASL.

Workaround:

If possible, use "digest-md5" as the SASL mechanism rather than Kerberos.

~BR
Jatin Katyal

**Do rate helpful posts**

ASA LDAP Auth. ERROR: Authentication Rejected: Memory error

John Butterfield — Wed, 18 Sep 2013 22:18:24 GMT

I don't know, would I need to specify that on the ASA or on the Windows Domain Controller, or both? How does one chooose one vs. the other?

ASA LDAP Auth. ERROR: Authentication Rejected: Memory error

Jatin Katyal — Wed, 18 Sep 2013 22:25:17 GMT

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml#asdm

~BR
Jatin Katyal

**Do rate helpful posts**

ASA LDAP Auth. ERROR: Authentication Rejected: Memory error

John Butterfield — Wed, 18 Sep 2013 22:41:06 GMT

no luck there:

test aaa-server authentication LDAPServerGroup host 10.0.1.136 username jbutterfield password xxxxx

INFO: Attempting Authentication test to IP address <10.0.1.136> (timeout: 12 seconds)

ERROR: Authentication Server not responding: AAA Server has been removed

aaa-server LDAPServerGroup protocol ldap

aaa-server LDAPServerGroup (inside) host 10.0.1.136

ldap-base-dn DC=pip,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=ASALDAP,CN=Users,DC=pip,DC=local

sasl-mechanism digest-md5

server-type microsoft

ASA LDAP Auth. ERROR: Authentication Rejected: Memory error

John Butterfield — Wed, 18 Sep 2013 22:54:36 GMT

I did switch it to an NTDomain protocol authentication using another server group & that does work, but the downside there is that you can't use the LDAP mapping against NTDomain protocol.

aaa-server NTDomain protocol nt

aaa-server NTDomain (inside) host 10.0.1.136

nt-auth-domain-controller 10.0.1.136

I would still like to figure out why LDAP is not working.

ASA LDAP Auth. ERROR: Authentication Rejected: Memory error

Jatin Katyal — Wed, 18 Sep 2013 23:00:18 GMT

Could you please remove the whole config and readd the below listed one.

aaa-server LDAPServerGroup protocol ldap

aaa-server LDAPServerGroup (inside) host 10.0.1.136

ldap-base-dn DC=pip,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=ASALDAP,CN=Users,DC=pip,DC=local

server-port 389

server-type microsoft

run debug ldap 255 and try again.

~BR
Jatin Katyal

**Do rate helpful posts**

ASA LDAP Auth. ERROR: Authentication Rejected: Memory error

John Butterfield — Wed, 18 Sep 2013 23:09:32 GMT

Still same response. I did replace the *** with correct password

aaa-server LDAPServerGroup protocol ldap

aaa-server LDAPServerGroup (inside) host 10.0.1.136

server-port 389

ldap-base-dn DC=pip,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=ASALDAP,CN=Users,DC=pip,DC=local

server-type microsoft

INFO: Attempting Authentication test to IP address <10.0.1.136> (timeout: 12 seconds)

[859] Session Start
[859] New request Session, context 0xc9630220, reqType = Authentication
[859] Fiber started
[859] Creating LDAP context with uri=ldap://10.0.1.136:389
[859] Connect to LDAP server: ldap://10.0.1.136:389, status = Successful
[859] supportedLDAPVersion: value = 3
[859] supportedLDAPVersion: value = 2
[859] Binding as ASALDAP
[859] Performing Simple authentication for ASALDAP to 10.0.1.136
[859] LDAP Search:
        Base DN = [DC=pip,DC=local]
        Filter = [sAMAccountName=jbutterfield]
        Scope   = [SUBTREE]
[859] Request for jbutterfield returned code (1) Operations error
[859] Fiber exit Tx=275 bytes Rx=733 bytes, status=-1
[859] Session End
ERROR: Authentication Rejected: Memory error

Re: ASA LDAP Auth. ERROR: Authentication Rejected: Memory error

Jatin Katyal — Sat, 21 Sep 2013 22:55:47 GMT

MS is aware of this problem and there is a hotfix available

Micorosft KB951191

https://www.google.co.in/search?newwindow=1&site=&source=hp&q=Micorosft+KB951191&oq=Micorosft+KB951191&gs_l=hp.3...1224.1224.0.1691.1.1.0.0.0.0.333.333.3-1.1.0....0...1c.1.27.hp..1.0.0.r8VMRYsGgeg

You may discuss with your windows team regarding the same.

~BR
Jatin Katyal

**Do rate helpful posts**

Re: ASA LDAP Auth. ERROR: Authentication Rejected: Memory error

John Butterfield — Tue, 24 Sep 2013 22:01:39 GMT

I have been unable to install the Hotfix. It just won't install. MS says that it has to be installed on a server running AD DS, which it is, but it just wont' install. I report back more when I know more.