topic Re: FTD sourcing from 169.254.1.3 address for LDAP in Network Security

FTD sourcing from 169.254.1.3 address for LDAP

carl_townshend — Tue, 17 Dec 2024 08:57:51 GMT

Hi Guys

I am trying to troubleshoot an issue with LDAP from my FTD, I have the ftd onboarded to the cloud cdFMC for management.

I have done a packet capture and I can see the requests are coming from 169.254.1.3 rather than the inside interface IP.

How do we change / fix this behaviour?

Many thanks

Re: FTD sourcing from 169.254.1.3 address for LDAP

Flavio Miranda — Tue, 17 Dec 2024 09:56:27 GMT

@carl_townshend

This IP address means some interface is configured for DHCP and is not receiving IP address and It using APIPA address

Re: FTD sourcing from 169.254.1.3 address for LDAP

Aref Alsouqi — Tue, 17 Dec 2024 10:00:09 GMT

Hi @carl_townshend, as shown in this other post, your firewall seems not to have the data interfaces configured yet, this would explain why is showing nothing when you click on the interfaces drop down menu.

Re: FTD sourcing from 169.254.1.3 address for LDAP

carl.townshend — Tue, 17 Dec 2024 12:30:05 GMT

The inside and outside interfaces are both configured with IP addresses and zones, I can also ping them both fine.

Re: FTD sourcing from 169.254.1.3 address for LDAP

MHM Cisco World — Tue, 17 Dec 2024 12:42:19 GMT

when you integration LDAP with FTD try select interface that reachable from LDAP
I think OUTside is Good

MHM

Re: FTD sourcing from 169.254.1.3 address for LDAP

Aref Alsouqi — Tue, 17 Dec 2024 12:47:04 GMT

It's weird then why it's showing empty in the interfaces drop down menu. Have you managed to configure the management interface with the right IP as well?

Re: FTD sourcing from 169.254.1.3 address for LDAP

vishalbhandari — Tue, 17 Dec 2024 16:31:50 GMT

The behavior you're observing—LDAP requests originating from 169.254.1.3 on your Cisco Firepower Threat Defense (FTD) device—is due to the diagnostic interface being used as the source for system-generated traffic, including LDAP queries. This is common for scenarios where the source interface for such traffic is not explicitly defined.

Re: FTD sourcing from 169.254.1.3 address for LDAP

carl_townshend — Tue, 17 Dec 2024 17:48:31 GMT

Hi, is there some sort of bug then?

I managed to get around it by creating a Nat rule for from the 169 address to the inside interface ip.

also, the other issue was the firewall not doing dns lookups when testing the ldap connection, even though I had internal dns servers configured on my platform settings and I could ping when using the ftd cli, when I did an ldap test I never saw any dns lookups coming from the ftd, to fix this I had to go onto the ftd itself and configure the network dns to an internal server, the ldap then worked, the only issue I have now is that it won’t apply the LDAP configuration to the ftd, the deployment fails validation and days contact Cisco TAC, something to do with not accepting the ldap username.

maybe I need flexconfig for this?

Re: FTD sourcing from 169.254.1.3 address for LDAP

carl.townshend — Wed, 18 Dec 2024 11:46:35 GMT

Hi All

For ref, please see the below from the CDO instructions, you can see it does create a NAT for (outside) by default for the internal management interface traffic, I had to add a rule manually for the (inside) interface

Troubleshoot Management Connectivity on a Data Interface

Re: FTD sourcing from 169.254.1.3 address for LDAP

Aref Alsouqi — Wed, 18 Dec 2024 12:28:27 GMT

Thanks for sharing this.

Re: FTD sourcing from 169.254.1.3 address for LDAP

MHM Cisco World — Wed, 18 Dec 2024 12:35:30 GMT

Why make long steps

Instead use outside as interface connect to ldap instead of using inside and NAT to outside.

MHM

Re: FTD sourcing from 169.254.1.3 address for LDAP

carl.townshend — Wed, 18 Dec 2024 12:45:52 GMT

Hi, my LDAP servers are on the inside not outside, so they need to point this way

Re: FTD sourcing from 169.254.1.3 address for LDAP

MHM Cisco World — Wed, 18 Dec 2024 12:59:54 GMT

If that SO why you NAT to outside?.?

Anyway goodluck

Thanks

MHM