topic Hello All, in Network Security

Unable to contact LDAP server

Stacey Hummer — Tue, 12 Mar 2019 05:35:30 GMT

Once again still struggling with our new ASA. My new problem is authenticating to our MS Domain Controller. It's a 2012r2 controller and for some reason I cannot connect to it.

I can ping it from the ASA no problem, but when I try to test the AAA authentication I get the following message.

[-2147483641] Session Start
[-2147483641] New request Session, context 0x00007fff33818ef8, reqType = Authentication
[-2147483641] Fiber started
[-2147483641] Creating LDAP context with uri=ldap://10.2.0.101:389
[-2147483641] Connect to LDAP server: ldap://10.2.0.101:389, status = Failed
[-2147483641] Unable to read rootDSE. Can't contact LDAP server.
[-2147483641] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[-2147483641] Session End

Any and all help would be appreciated.

Stacey

Hi Stacey, Here is the config

Tushar Bangia — Thu, 05 Mar 2015 05:23:30 GMT

Hi Stacey,

Here is the config example for configuring LDAP authentication on Cisco ASA:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html

Please verify the configs, and also share the Cisco ASA version you are working with.

Capturing below debugs on ASA can be helpful in identifying the cause of the issue:

debug aaa commom.

Regards,

Tushar Bangia

Note: Please do rate the post if you find it helpful!!

-------------------------------------------------------------

Sorry all for not getting

Stacey Hummer — Mon, 09 Mar 2015 14:20:27 GMT

Sorry all for not getting back, but it seems the issue was with routing internally. The ASA was sending out requests but it ended up in a loop.

Hi Stacey, Glad to hear that

Tushar Bangia — Tue, 10 Mar 2015 03:19:57 GMT

Hi Stacey,

Glad to hear that issue has been fixed. Feel free to post your queries on this forum and we would be glad to help you.

Regards,

Tushar Bangia

Note : Please do rate post if you find it helpful!!

Hello All,

dneumann — Thu, 04 Feb 2016 05:02:14 GMT

Hello All,

I have a 2012R2 DC in native mode and an ASA 5515 running 9.2(2)4 and I am having this exact problem.

I cannot figure it out and TAC cannot figure it out. TAC seems to think it is the DC rejecting the LDAP request by resetting something in the transaction between the DC and ASA. I am doing some digging to determine if I have missed something in the configuration of my 2012R2 server.

I have used Microsoft's LDP.exe from both of my DCs and can connect, BIND and query the Active Directory with the same credentials as I have configured on the ASA. So, my credentials are good and my DC is responding properly or so it seems.

In the Cisco guide referenced here (http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html) why are anonymous LDAP query privileges required? In the configuration of the AAA, we submit a username and a password to the DC to be able to query. I have not specifically configured this and and wondering if I need to do so. I have configured dozens of these solutions in the past but mainly with 2008R2 DCs and not 2012R2. I have never specifically configured anonymous access because of the security implications.

Does anyone have any thoughts on the matter?

-Don

Hello,

Alexander Vasilev — Fri, 27 Jan 2017 11:28:25 GMT

Hello,

anyone figured out what is the problem? I today faced the same issue.

On the ASA do i need to issue certificate for it?

On the Windows Server i receive following in the Event Viewer:

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

Thank you