Solved: ASA SSL VPN not working

d50m64cisco · ‎11-11-2012

Dear Sir,

I have a windows 2003 server and an ASA 5512

I'm trying to use SSLVPN and it was all working, and I don't believe any configs on either box have been changed.

On Friday people were connecting, but now I get a message "Login Error" in the browser.

In the ASDM home 'latest ADSM Syslog Messsages' I get "AAA authentication server not accessible", followed by two messsages

AAA Marking LDAP server in group as FAILED

AAA Marking LDAP server in group as ACTIVE

When I go to configuration --> Remote Access VPN --> AAA/Local Users AAA server groups and click on my RADIUS server and click Test, it takes a while and says ERROR: AD agent Server not responding: No error

If I stop my IAS server on my Windows box i get the same error but much more quickly.

I have a sonciwall set up doing the same thing, and RADIUS seems to work happily, so I don't think it's the server config...

Do you have any ideas what may have changed?

Thanks
Dave

Jennifer Halim · ‎11-12-2012

Are you actually using LDAP or Radius procotol to authenticate.

I saw in your config that you have both configured.

On the Radius one, i saw that you have ad-agent enabled, but you don't have any IDFW configured, so i am assuming that it has been enabled by mistake.

Pls remove the following line from the radius server configuration if you don't use the ad-agent:

ad-agent-mode

View solution in original post

Jennifer Halim · ‎11-12-2012

Can you pls share the ASA configuration, as well as the output of "show aaa-server protocol ldap"

Also, are you using LDAP or Radius to authenticate the SSL VPN users?

d50m64cisco · ‎11-12-2012

Dear Jennifer, I'm using IAS (windows RADIUS server) it was working fine, and I'm not aware anything changed...

when i 'test' the aaa server it says ERROR: AD-agent server not responding: No Error

I have an old sonicwall firewall doing the same thing and it tests successful, implying RADIUS is working OK, if you want a screenshor?

dynamic-access-policy-record DfltAccessPolicy
aaa-server tethys protocol radius
ad-agent-mode
aaa-server tethys (inside) host 10.11.1.10
timeout 5
key *****
radius-common-pw *****
aaa-server tethysLDAP protocol ldap
aaa-server tethysLDAP (inside) host 10.11.1.10
ldap-base-dn DC=tethys,DC=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SSLVPNAdmin,CN=Users,DC=tethys, DC=net
server-type microsoft
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console tethys LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.11.1.73 255.255.255.255 inside
http 10.11.1.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint3
keypair ASDM_TrustPoint3
crl configure
crypto ca certificate chain ASDM_TrustPoint3
certificate ca 0400000000012f4ee14143
    3082045a 30820342 a0030201 02020b04 00000000 012f4ee1 4143300d 06092a86
    de36bf03 04003df9 ef9ea967 a4f4863e 2397b82a 71e2edfe 698867bf 265c
quit
certificate 112119e126c272d2d5aabd8bb4a6f90fe78b
    308204f3 308203db a0030201 02021211 2119e126 c272d2d5 aabd8bb4 a6f90fe7
    a07c90b2 5e4c1b59 56bec070 d5a77145 5b74297f 68c7d6
quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint3
telnet 10.11.1.10 255.255.255.255 inside
telnet 10.14.1.0 255.255.255.0 inside
telnet timeout 5
ssh 10.11.1.10 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!

Result of the command: "sh aaa-server protocol ldap"

Server Group: tethysLDAP
Server Protocol: ldap
Server Address: 10.11.1.10
Server port: 0
Server status: ACTIVE, Last transaction at unknown
Number of pending requests 0
Average round trip time   0ms
Number of authentication requests 205
Number of authorization requests 1
Number of accounting requests 0
Number of retransmissions 0
Number of accepts   0
Number of rejects   0
Number of challenges   0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts   206
Number of unrecognized responses 0

Jennifer Halim · ‎11-12-2012

Are you actually using LDAP or Radius procotol to authenticate.

I saw in your config that you have both configured.

On the Radius one, i saw that you have ad-agent enabled, but you don't have any IDFW configured, so i am assuming that it has been enabled by mistake.

Pls remove the following line from the radius server configuration if you don't use the ad-agent:

ad-agent-mode

d50m64cisco · ‎11-12-2012

Hi, I tried to use RADIUS when i first set it up, but in th end used LDAP, sorry for confusing you

So, when I tested the LDAP connection, it said

ERROR: Authorization Server not responding: AAA server has been removed.

As far as I'm concerned, I've not changed the AD server or the ASA...

So, I deleted the server in the ASA config, and re-added it, using excatly the same settings, and now it's working

Really odd.

The only thing that i can think that happened was my AD wasn't replicating to my other site. So I altered the AD replication. As far as I'm aware, this is the only change i made to the network, deleting the site links and readding them.

Why this should affect the LDAP i don't know. I only added the server with exactly the same credentials as before...

Very weird.

Anyway, thank you very much for pointing me in the right direction, its all working now

Dave

Jennifer Halim · ‎11-13-2012

Excellent, great to hear it's all good now. Thanks for the update and ratings.