topic Re: FTD 1150 LDAPs not working on Remote Access VPN in Network Security

FTD 1150 LDAPs not working on Remote Access VPN

the_flyps — Wed, 15 Jan 2025 12:56:34 GMT

Hi,

I already have configure the ldap and it is working on VPN perfectly, but when I configure LDAPs i'm getting login error with the following error on the logs:

"AAA unable to complete the request error reason memory error"

I have done the following:

Test directory configuration (test connection succeeded)
Test the Realm Configuration (AD Join test succeed)
CA enrollment is fine
Users download is working too

If i rollback to ldap without SSL it starts working fine

Re: FTD 1150 LDAPs not working on Remote Access VPN

MHM Cisco World — Wed, 15 Jan 2025 13:47:57 GMT

Share output of

Debug ldap 255

MHM

Re: FTD 1150 LDAPs not working on Remote Access VPN

ahollifield — Wed, 15 Jan 2025 15:37:43 GMT

Why are you using LDAP at all? What is the MFA strategy here?

Re: FTD 1150 LDAPs not working on Remote Access VPN

the_flyps — Wed, 15 Jan 2025 15:37:44 GMT

@MHM Cisco World so far i have this logs:

%FTD-auth-2-113022: AAA Marking LDAP server Mydomain.local in aaa-server group Mydomain as FAILED\cf1\highlight2
%FTD-auth-2-113022: AAA Marking LDAP server mydomain2.local in aaa-server group Mydomain as FAILED\cf1\highlight2
%FTD-auth-6-113013: AAA unable to complete the request Error : reason = Memory error : user = user\cf1\highlight2

I don't know if this other part have something to do with the issue.

New request Session, context 0x000015487ec50de8, reqType = Authentication
<167>:Jan 15 15:35:23 UTC: %FTD-sys-7-711001: [3539578] Fiber started
<167>:Jan 15 15:35:23 UTC: %FTD-sys-7-711001: [3539578] Failed to convert ip address 0.0.0.0
<167>:Jan 15 15:35:23 UTC: %FTD-sys-7-711001: [3539578] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
<167>:Jan 15 15:35:23 UTC: %FTD-sys-7-711001: [3539578] Session End

Re: FTD 1150 LDAPs not working on Remote Access VPN

the_flyps — Wed, 15 Jan 2025 15:47:04 GMT

@ahollifield I'm trying to allow user to change their AD password on the AnyConnect client when they are working from home. I think it is a requirement to hava LDAP ove SSL to accomplish that.

I'm using AAA and Client Certificate to accomplish the MFA.

Re: FTD 1150 LDAPs not working on Remote Access VPN

Aref Alsouqi — Wed, 15 Jan 2025 15:48:29 GMT

To me it does seem a buggy behaviour and probably you are hitting a software bug. What version of software you are running?

Re: FTD 1150 LDAPs not working on Remote Access VPN

MHM Cisco World — Wed, 15 Jan 2025 15:50:24 GMT

I will send you PM

MHM

Re: FTD 1150 LDAPs not working on Remote Access VPN

ahollifield — Wed, 15 Jan 2025 15:52:26 GMT

Yeah IMHO that's not really MFA. MFA would be a token, SMS, push notification, etc. in addition to the Certificate and credential. Certificate + SAML would be far more secure and scalable than Certificate + LDAP. I would highly recommend doing this through a SAML flow instead. The user can reset their password through the IDP directly within the SAML flow instead of relying on exposing your VPN headend directly to LDAP (which I assume is an AD server).

Re: FTD 1150 LDAPs not working on Remote Access VPN

the_flyps — Wed, 15 Jan 2025 16:01:05 GMT

Do you think DUO with SAML will work?

Re: FTD 1150 LDAPs not working on Remote Access VPN

the_flyps — Wed, 15 Jan 2025 16:04:53 GMT

i'm Using 7.4.2 on the FMC and 7.4.2 on the FTD

Re: FTD 1150 LDAPs not working on Remote Access VPN

ahollifield — Wed, 15 Jan 2025 16:07:27 GMT

Why not 7.4.2.1?

Re: FTD 1150 LDAPs not working on Remote Access VPN

ahollifield — Wed, 15 Jan 2025 16:07:28 GMT

Yes.

Re: FTD 1150 LDAPs not working on Remote Access VPN

MHM Cisco World — Wed, 15 Jan 2025 16:29:19 GMT

https://bst.cisco.com/quickview/bug/CSCwd25602 <<- check this

MHM

Re: FTD 1150 LDAPs not working on Remote Access VPN

the_flyps — Wed, 15 Jan 2025 16:42:40 GMT

I will plan the upgrade to the cisco suggested version, I think it is the 7.4.2.1 and let you guys knows. It seems a buggy behavior

Re: FTD 1150 LDAPs not working on Remote Access VPN

the_flyps — Wed, 15 Jan 2025 16:46:39 GMT

I already have duo with the radius gateway with a different RAVPN profile, I will test moving to SAML it seems the better and scalable option.

Re: FTD 1150 LDAPs not working on Remote Access VPN

the_flyps — Thu, 16 Jan 2025 13:41:12 GMT

As https://bst.cisco.com/quickview/bug/CSCwd25602 it was a misleading message. it was a DNS problem on the FTD. on the FMC was good but the FTD could not reach the domain controller by the name.

This was the error i identify:

New request Session, context 0x000015487ec50de8, reqType = Authentication
%FTD-sys-7-711001: [3539578] Fiber started
%FTD-sys-7-711001: [3539578] Failed to convert ip address 0.0.0.0
%FTD-sys-7-711001: [3539578] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
%FTD-sys-7-711001: [3539578] Session End

Thank you Guys