topic Re: ASAv to Azure AD Authentication issue in Network Security

ASAv to Azure AD Authentication issue

jamesholley — Wed, 06 Jul 2022 16:16:51 GMT

Hello all

I am struggling with something on our Azure setup.

I have created public load balancer with two ASAv's behind it running active/standby HA.

I am fairly sure that when I set them up and configured HA, that it was working OK. But a few weeks later, the secondary firewall stopped communicating and went into a disabled state for HA.

The primary can reach the AD ok and authenticate, but the secondary seems to be getting rejected by the AD.

This is the output from show fail history

16:12:42 UTC Jul 6 2022: Error Connection - No response to access token request from https://login.microsoftonline.com/
16:12:47 UTC Jul 6 2022: Info Connection - Checking Authentication
16:12:47 UTC Jul 6 2022: Error Connection - No response to access token request from https://login.microsoftonline.com/
16:12:52 UTC Jul 6 2022: Info Connection - Checking Authentication
16:12:52 UTC Jul 6 2022: Error Connection - No response to access token request from https://login.microsoftonline.com/
16:12:57 UTC Jul 6 2022: Info Connection - Checking Authentication
16:12:57 UTC Jul 6 2022: Error Connection - No response to access token request from https://login.microsoftonline.com/
16:13:02 UTC Jul 6 2022: Info Connection - Checking Authentication
16:13:02 UTC Jul 6 2022: Error Connection - No response to access token request from https://login.microsoftonline.com/
16:13:07 UTC Jul 6 2022: Info Connection - Checking Authentication

p8-1b# sh fail
Failover On
Failover Mode: Cloud
Failover Unit: Secondary
Failover State: Disabled
Internal State: Starting
Last Failover at: never

I have checked and the config is exactly the same for failover as the primary, and I am using the management interface to route traffic to the AD.

A packet capture on each firewall reveals that traffic is reaching the AD and we see a two-way tcp conversation. Both captures look identical.

So what am I missing and what area should I be looking at to try and troubleshoot this issue? I cannot find any documentation on this at all.

Thanks in advance

James

Re: ASAv to Azure AD Authentication issue

Mohammed al Baqari — Wed, 06 Jul 2022 16:41:45 GMT

Hi,

I have seen such abnormalities in ASAv in Azure. Try to redeploy the VM

Re: ASAv to Azure AD Authentication issue

jamesholley — Wed, 06 Jul 2022 17:44:45 GMT

Thanks, that is one option I have considered but it is simply the time it takes to complete.

The issue I have with this approach, is that even if it fixes the issue, how do I know it will not occur again in the future?

Regards

James

Re: ASAv to Azure AD Authentication issue

mnagakum — Fri, 05 Dec 2025 17:16:08 GMT

Dropping in a reply here to assist anyone else who faces this issue.

As per the usual design based on Azure ASAv HA Template the management interface acts as the default gateway, and also the default interface for HA Control and LB Probes. ASA also uses this interface to reach Azure Entra for authentication requests.
The messages you have mentioned seem to imply that ASA is not receiving replies on the intended interface. This is common for deployment where an alternative interface is used as the default GW.

Refer step 5 of this guide to clear these issues : Configure Failover Criteria and Other Settings