FTD sourcing from 169.254.1.3 address for LDAP

carl_townshend · ‎12-17-2024

Hi Guys

I am trying to troubleshoot an issue with LDAP from my FTD, I have the ftd onboarded to the cloud cdFMC for management.

I have done a packet capture and I can see the requests are coming from 169.254.1.3 rather than the inside interface IP.

How do we change / fix this behaviour?

Many thanks

Flavio Miranda · ‎12-17-2024

@carl_townshend

This IP address means some interface is configured for DHCP and is not receiving IP address and It using APIPA address

Aref Alsouqi · ‎12-17-2024

Hi @carl_townshend, as shown in this other post, your firewall seems not to have the data interfaces configured yet, this would explain why is showing nothing when you click on the interfaces drop down menu.

carl.townshend · ‎12-17-2024

Hi

The inside and outside interfaces are both configured with IP addresses and zones, I can also ping them both fine.

MHM Cisco World · ‎12-17-2024

when you integration LDAP with FTD try select interface that reachable from LDAP
I think OUTside is Good

MHM

Aref Alsouqi · ‎12-17-2024

It's weird then why it's showing empty in the interfaces drop down menu. Have you managed to configure the management interface with the right IP as well?

vishalbhandari · ‎12-17-2024

The behavior you're observing—LDAP requests originating from 169.254.1.3 on your Cisco Firepower Threat Defense (FTD) device—is due to the diagnostic interface being used as the source for system-generated traffic, including LDAP queries. This is common for scenarios where the source interface for such traffic is not explicitly defined.

carl_townshend · ‎12-17-2024

Hi, is there some sort of bug then?

I managed to get around it by creating a Nat rule for from the 169 address to the inside interface ip.

also, the other issue was the firewall not doing dns lookups when testing the ldap connection, even though I had internal dns servers configured on my platform settings and I could ping when using the ftd cli, when I did an ldap test I never saw any dns lookups coming from the ftd, to fix this I had to go onto the ftd itself and configure the network dns to an internal server, the ldap then worked, the only issue I have now is that it won’t apply the LDAP configuration to the ftd, the deployment fails validation and days contact Cisco TAC, something to do with not accepting the ldap username.

maybe I need flexconfig for this?

carl.townshend · ‎12-18-2024

Hi All

For ref, please see the below from the CDO instructions, you can see it does create a NAT for (outside) by default for the internal management interface traffic, I had to add a rule manually for the (inside) interface

Troubleshoot Management Connectivity on a Data Interface

Aref Alsouqi · ‎12-18-2024

Thanks for sharing this.

MHM Cisco World · ‎12-18-2024

Why make long steps

Instead use outside as interface connect to ldap instead of using inside and NAT to outside.

MHM

carl.townshend · ‎12-18-2024

Hi, my LDAP servers are on the inside not outside, so they need to point this way

MHM Cisco World · ‎12-18-2024

If that SO why you NAT to outside?.?

Anyway goodluck

Thanks

MHM