Solved: FTD 1150 LDAPs not working on Remote Access VPN

the_flyps · ‎01-15-2025

Hi,

I already have configure the ldap and it is working on VPN perfectly, but when I configure LDAPs i'm getting login error with the following error on the logs:

"AAA unable to complete the request error reason memory error"

I have done the following:

Test directory configuration (test connection succeeded)
Test the Realm Configuration (AD Join test succeed)
CA enrollment is fine
Users download is working too

If i rollback to ldap without SSL it starts working fine

the_flyps · ‎01-16-2025

As https://bst.cisco.com/quickview/bug/CSCwd25602 it was a misleading message. it was a DNS problem on the FTD. on the FMC was good but the FTD could not reach the domain controller by the name.

This was the error i identify:

New request Session, context 0x000015487ec50de8, reqType = Authentication
%FTD-sys-7-711001: [3539578] Fiber started
%FTD-sys-7-711001: [3539578] Failed to convert ip address 0.0.0.0
%FTD-sys-7-711001: [3539578] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
%FTD-sys-7-711001: [3539578] Session End

Thank you Guys

View solution in original post

MHM Cisco World · ‎01-15-2025

Share output of

Debug ldap 255

MHM

ahollifield · ‎01-15-2025

Why are you using LDAP at all? What is the MFA strategy here?

the_flyps · ‎01-15-2025

@ahollifield I'm trying to allow user to change their AD password on the AnyConnect client when they are working from home. I think it is a requirement to hava LDAP ove SSL to accomplish that.

I'm using AAA and Client Certificate to accomplish the MFA.

ahollifield · ‎01-15-2025

Yeah IMHO that's not really MFA. MFA would be a token, SMS, push notification, etc. in addition to the Certificate and credential. Certificate + SAML would be far more secure and scalable than Certificate + LDAP. I would highly recommend doing this through a SAML flow instead. The user can reset their password through the IDP directly within the SAML flow instead of relying on exposing your VPN headend directly to LDAP (which I assume is an AD server).

the_flyps · ‎01-15-2025

Do you think DUO with SAML will work?

ahollifield · ‎01-15-2025

Yes.

the_flyps · ‎01-15-2025

I already have duo with the radius gateway with a different RAVPN profile, I will test moving to SAML it seems the better and scalable option.

the_flyps · ‎01-15-2025

@MHM Cisco World so far i have this logs:

%FTD-auth-2-113022: AAA Marking LDAP server Mydomain.local in aaa-server group Mydomain as FAILED\cf1\highlight2
%FTD-auth-2-113022: AAA Marking LDAP server mydomain2.local in aaa-server group Mydomain as FAILED\cf1\highlight2
%FTD-auth-6-113013: AAA unable to complete the request Error : reason = Memory error : user = user\cf1\highlight2

I don't know if this other part have something to do with the issue.

New request Session, context 0x000015487ec50de8, reqType = Authentication
<167>:Jan 15 15:35:23 UTC: %FTD-sys-7-711001: [3539578] Fiber started
<167>:Jan 15 15:35:23 UTC: %FTD-sys-7-711001: [3539578] Failed to convert ip address 0.0.0.0
<167>:Jan 15 15:35:23 UTC: %FTD-sys-7-711001: [3539578] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
<167>:Jan 15 15:35:23 UTC: %FTD-sys-7-711001: [3539578] Session End

MHM Cisco World · ‎01-15-2025

I will send you PM

MHM

MHM Cisco World · ‎01-15-2025

https://bst.cisco.com/quickview/bug/CSCwd25602 <<- check this

MHM

Aref Alsouqi · ‎01-15-2025

To me it does seem a buggy behaviour and probably you are hitting a software bug. What version of software you are running?

the_flyps · ‎01-15-2025

i'm Using 7.4.2 on the FMC and 7.4.2 on the FTD

ahollifield · ‎01-15-2025

Why not 7.4.2.1?

the_flyps · ‎01-15-2025

I will plan the upgrade to the cisco suggested version, I think it is the 7.4.2.1 and let you guys knows. It seems a buggy behavior