Having trouble with AD Authentication when Using RA VPN with FDM.

Keith Jones · ‎01-23-2019

I have an ASA5506X running 6.2.3.7-51 FTD code. I am configuring a lab with it to find out what all it is missing compared to the ASDM. Honestly, it's terrible, but that's beside the point. I have an AD Realm configured and the Test works. I configured an RA VPN using that AD Realm. I can get to the RA VPN authentication page, but I cannot authenticate. I found this in an article:

"Remote access VPN - The realm provides authentication services, which determine whether a connection is allowed. The directory server must be reachable from the RA VPN outside interface."

Really......authenticate AD off of the outside interface? I have attempted entering no-nat statements for traffic from the outside interface to the AD server (directly connected to the LAN data interface), and even entered an allow any any any any any......but the RA VPN cannot authenticate. From what I have read I think it has something to do with the management IP being a logical interface off of the diagnostic interface, and the diagnostic interface doesn't have an IP address on it.....but if you do that you have to separate diagnostic interface from the LAN into a different IP space and connect them with a router........anway.

Does anybody have experience with this?! I have a possible install coming up that will need basic RA VPN and would like to hash this out.

Mohammed al Baqari · ‎01-23-2019

Hi ,

FTD can authenticate VPN with AD even if AD is routed in different
interface. I had AD routed over mpls interface while connects on outside
interface and it worked fine.

I suggest you troubleshooting this by running a firewall debug or capture
with trace to see why authentication is failing.