Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
565
Views
0
Helpful
2
Replies

ASAv to Azure AD Authentication issue

jamesholley
Level 1
Level 1

‎07-06-2022 09:16 AM

Hello all

I am struggling with something on our Azure setup.

I have created public load balancer with two ASAv's behind it running active/standby HA.

I am fairly sure that when I set them up and configured HA, that it was working OK. But a few weeks later, the secondary firewall stopped communicating and went into a disabled state for HA.

The primary can reach the AD ok and authenticate, but the secondary seems to be getting rejected by the AD.

This is the output from show fail history

 

16:12:42 UTC Jul 6 2022: Error Connection - No response to access token request from https://login.microsoftonline.com/
16:12:47 UTC Jul 6 2022: Info Connection - Checking Authentication
16:12:47 UTC Jul 6 2022: Error Connection - No response to access token request from https://login.microsoftonline.com/
16:12:52 UTC Jul 6 2022: Info Connection - Checking Authentication
16:12:52 UTC Jul 6 2022: Error Connection - No response to access token request from https://login.microsoftonline.com/
16:12:57 UTC Jul 6 2022: Info Connection - Checking Authentication
16:12:57 UTC Jul 6 2022: Error Connection - No response to access token request from https://login.microsoftonline.com/
16:13:02 UTC Jul 6 2022: Info Connection - Checking Authentication
16:13:02 UTC Jul 6 2022: Error Connection - No response to access token request from https://login.microsoftonline.com/
16:13:07 UTC Jul 6 2022: Info Connection - Checking Authentication

 

p8-1b# sh fail
Failover On
Failover Mode: Cloud
Failover Unit: Secondary
Failover State: Disabled
Internal State: Starting
Last Failover at: never

 

I have checked and the config is exactly the same for failover as the primary, and I am using the management interface to route traffic to the AD.

A packet capture on each firewall reveals that traffic is reaching the AD and we see a two-way tcp conversation. Both captures look identical.

So what am I missing and what area should I be looking at to try and troubleshoot this issue? I cannot find any documentation on this at all.

 

Thanks in advance

 

 

 

James

0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎07-06-2022 09:41 AM

Hi,

I have seen such abnormalities in ASAv in Azure. Try to redeploy the VM
0 Helpful

jamesholley
Level 1
Level 1
In response to Mohammed al Baqari

‎07-06-2022 10:44 AM

Thanks, that is one option I have considered but it is simply the time it takes to complete.

 

The issue I have with this approach, is that even if it fixes the issue, how do I know it will not occur again in the future?

 

Regards

 

 

James

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card