Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
598
Views
0
Helpful
1
Replies

Problem with backup connection to AAA servers

Sasha Morozov
Level 1
Level 1

‎09-18-2012 01:22 AM - edited ‎03-10-2019 07:33 PM

Hello everybody.

We have lots of Cisco ASA 5505 in our small offices in different cities.

We make L2L IPSec VPN between every such ASA  and central site.

In central site we have ASA 5510. Behind ASA 5510 in central site we have 2 domain controllers.

As protected networks in the organized VPN we have

in small office: local network - outside interface of Cisco ASA, remote network - Network Object Group populated with 2 domain controllers, situated in central site;

in central site: local network Network Object Group populated with 2 domain controllers, remote network: outside interface of Cisco ASA, situated in small office

Everything works fine.

But to make small office high available we use two ISPs. If through first ISP central site becomes unavailable then  Cisco ASA 5505 makes tunnel through

second ISP. Here we face real problem with AAA server connectivity. Our AAA servers (domain controllers in central site) on Cisco ASA in small office are bound

to specific interface. As we build tunnels, these interfaces to which AAA servers are bound of course are outside1 (first ISP) and outside2 (second ISP), that

is one domain controller is bound to outside1, the other one - to outside2. So expected situation is when ISP1 is available   first domain controller

serves as AAA, when ISP1 goes down, then second domain controller should serve as AAA.

Real situation is completely different.

When ISP1 goes down, first domain controller becomes unavailable, because all routes on interface outside1 become unavailable. But tunnel through second ISP between

Cisco ASA and second domain controller gets established and then torn, so second domain controller becomes unavailable also. When user tries to get uathenticated

by AAA rules it is seen from logs that tunnel through second ISP gets establisheed (2 phases) and then torn down by unknown reason.

It is funny that when we try (in ASDM) use "Test" button for second domain controller test gets successfull, that is tunnel get established and authentication (throught Test button) is passed.

But when we get back to user workstation and then start to authenticate users - the established tunnel gets torn down.

So we face the problem that connection to AAA servers cannot be backed up when they are situated in VPN.

Can anyone help?

P.S. We use domain controllers in central site to authenticate users when they want to get access to Internet in small office. Centralized user's database and group distribution have many benefits, that is why

we don't use local database on Cisco ASA.

Labels:
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎09-18-2012 12:16 PM

Sasha,

When you isue a debug ldap 255 what error messages do you see when authenticating the user? Can you compare the messages from when it works to when the tunnel failover occurs and then try authenticating the user again?

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents