topic replication Active Directory, ports issues in firewall in Network Security

replication Active Directory, ports issues in firewall

Jacob Samuel — Mon, 11 Mar 2019 23:38:08 GMT

Hi,

i am facing some issue in active directory replication between my Active Directory User Database located in two different locations.

I am not doing any Port based ACL in the firewall, and there is no static / dynamic NAT-ng used between the server ip ranges (nat 0).

1) what could be the possible issue in this?

2) do i need to issue any command in the FWSM Module to make use / open the dynamic ports ?

3) How can i make sure that these ports are not opend or not blocked on the firewall.

below are some of the ports used for this, based on the information from Microsoft Team.

tcp 5389

tcp 5722

tcp 5729

tcp3268

tcp 3269

tcp 445

udp 445

udp 88

udp 2535

udp 389

tcp 1025 - 5000

tcp 44152 - 65535

Appreciate your valuable support.

regards

Sunny

replication Active Directory, ports issues in firewall

Ramraj Sivagnanam Sivajanam — Fri, 17 Aug 2012 04:07:33 GMT

Hi Bro

If you’re not doing any port based ACL in your FWSM, I can only assume you’re permitting the rules between both the AD by IP e.g. access-list inside permit ip host 1.1.1.1 host 2.2.2.2, am I right? I hope you can PING between both the AD, otherwise this could be a routing issue.

Listed below are some commands that you could type to investigate this issue further;

a) show np block (hardware buffer counters) - if they are non-zero and increasing it's bad. You're most likely running into hardware limitation of the FWSM.

b) show np all stats | i RTL and show np all stats | i RL will show you if the packets are dropped because of software rate limiting mechanisms built into network processors.

Perhaps, what you need is to enable the “xlate-bypass” command. By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. You can disable NAT sessions for untranslated network traffic, which is called xlate bypass, in order to avoid the maximum NAT session limit. The xlate-bypass command can be configured as shown:

hostname(config)#xlate-bypass

If the xlate-bypass doesn’t resolve your issue, please do ensure you’ve a static NAT or dedicated nat/global in place.

The last resort is to enable sysoption np completion-unit, this magic option is invoking special processing created to address scenarios in which FWSM was known to introduce out of order packets for TCP streams.

replication Active Directory, ports issues in firewall

Jacob Samuel — Sat, 25 Aug 2012 07:20:16 GMT

Hi Ram,

Thanks a lot for the update. thanks again for pointing me towards the hardware limitations issues, because i too believe it is not related to somiething of ports, caz most of the replication part is working fine, like if we have 100 users, the replication happends for 90 / 95 users, but remaining its not. So could be some issue related to the hardware limitation / NAT size limitation also. But same time some other replications are also happenign beside the AD, like file replication on certain applications, and it works fine.

I want to track what happening at the time of replication? How we can do that?

I dont have any log server and it is risky if i need to run a debug, caz the firewall sits in a highly critical production network.

Thanks & Regards

Jacob

replication Active Directory, ports issues in firewall

Ramraj Sivagnanam Sivajanam — Sun, 26 Aug 2012 06:37:48 GMT

Hi Bro

I guess the best way to find this root cause is to place a packet sniffer e.g. Wireshark / Ethereal, anywhere along the path between both the WIndows AD. This will tell you what's actually happening.