https://community.cisco.com/t5/network-security/set-up-anyconnect-using-ad-from-outside-interface/m-p/4611869#M1090147 <P>try this way<BR />I think that the any connect traffic not allow to pass through S2S VPN<BR />In Site-2 S2S VPN&nbsp;</P><P>S2S VPN ACL must be include&nbsp;<BR />access-list VPN-POOL AD-SUBNET</P> Tue, 17 May 2022 19:04:57 GMT MHM Cisco World 2022-05-17T19:04:57Z https://community.cisco.com/t5/network-security/set-up-anyconnect-using-ad-from-outside-interface/m-p/4611821#M1090143 <P>&nbsp;</P><P> Hi,</P><P>&nbsp;</P><P>I have two site as below. Site 2 is the backup of site1. They connect via site to site vpn tunnel. LAN-1 and LAN-2 can talk with each other well.</P><P>I set up AnyConnect for Site 1, AAA is from Microsoft AD at LAN-1. It works well.</P><P>Now I am trying to setup&nbsp;AnyConnect for Site 2 (on Firewall-2):</P><P>- I also use the AD of site1 as AAA. It is not working now.</P><P>- I can receive the window pop up asking for username and password, but when I enter the credential, it freeze for a minute and ask me the username and password again.</P><P>- It looks like the Firewall-2 could not reach the AD.</P><P>- LAN-2 can reach AD well, so I am not sure what to check, set up to make it work.</P><P>Please advise</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JFK-Anyconnect.jpg" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/151415iA5E66242FF32C668/image-size/medium?v=v2&amp;px=400" role="button" title="JFK-Anyconnect.jpg" alt="JFK-Anyconnect.jpg" /></span></P><P>Note: both firewall are FTD 2100. I use FMC to set them up.&nbsp;</P><P>Thanks</P><P>Loc</P> Tue, 17 May 2022 17:39:51 GMT https://community.cisco.com/t5/network-security/set-up-anyconnect-using-ad-from-outside-interface/m-p/4611821#M1090143 loc.nguyen 2022-05-17T17:39:51Z https://community.cisco.com/t5/network-security/set-up-anyconnect-using-ad-from-outside-interface/m-p/4611869#M1090147 <P>try this way<BR />I think that the any connect traffic not allow to pass through S2S VPN<BR />In Site-2 S2S VPN&nbsp;</P><P>S2S VPN ACL must be include&nbsp;<BR />access-list VPN-POOL AD-SUBNET</P> Tue, 17 May 2022 19:04:57 GMT https://community.cisco.com/t5/network-security/set-up-anyconnect-using-ad-from-outside-interface/m-p/4611869#M1090147 MHM Cisco World 2022-05-17T19:04:57Z https://community.cisco.com/t5/network-security/set-up-anyconnect-using-ad-from-outside-interface/m-p/4612122#M1090169 <P>in my understanding, the problem is that the firewall 2 cannot pass through the S2S VPN to check AD credentials from firewall 1 network.</P><P>i think the best thing to do is add your LAN1 subnet in firewall 2 S2S VPN config and also add your LAN2 subnet in firewall 1 config so that both firewalls can see what ip addresses and subnets that are being used on each other side.</P><P>&nbsp;</P><P>have you tried pinging the ip address of your AD from your Firewall 2 and/or LAN2?</P> Wed, 18 May 2022 06:53:38 GMT https://community.cisco.com/t5/network-security/set-up-anyconnect-using-ad-from-outside-interface/m-p/4612122#M1090169 Tritontek 2022-05-18T06:53:38Z https://community.cisco.com/t5/network-security/set-up-anyconnect-using-ad-from-outside-interface/m-p/4612449#M1090184 <P>are you using realms on your FMC? check your ldap attributes are pointing to the correct CN and OU on your AD. try pinging the IP of your AD from your Firewall 2 CLI via SSH.</P><P>&nbsp;</P><P>also in your CLI via SSH of your firewall 2 try this command:</P><P>&nbsp;</P><P>test aaa-server authentication (Your Realms Name) host (Your AD IP Address)</P> Wed, 18 May 2022 15:02:51 GMT https://community.cisco.com/t5/network-security/set-up-anyconnect-using-ad-from-outside-interface/m-p/4612449#M1090184 Herald Sison 2022-05-18T15:02:51Z