Set up AnyConnect using AD from outside interface

loc.nguyen · ‎05-17-2022

Hi,

I have two site as below. Site 2 is the backup of site1. They connect via site to site vpn tunnel. LAN-1 and LAN-2 can talk with each other well.

I set up AnyConnect for Site 1, AAA is from Microsoft AD at LAN-1. It works well.

Now I am trying to setup AnyConnect for Site 2 (on Firewall-2):

- I also use the AD of site1 as AAA. It is not working now.

- I can receive the window pop up asking for username and password, but when I enter the credential, it freeze for a minute and ask me the username and password again.

- It looks like the Firewall-2 could not reach the AD.

- LAN-2 can reach AD well, so I am not sure what to check, set up to make it work.

Please advise

Note: both firewall are FTD 2100. I use FMC to set them up.

Thanks

Loc

MHM Cisco World · ‎05-17-2022

try this way
I think that the any connect traffic not allow to pass through S2S VPN
In Site-2 S2S VPN

S2S VPN ACL must be include
access-list VPN-POOL AD-SUBNET

Tritontek · ‎05-17-2022

in my understanding, the problem is that the firewall 2 cannot pass through the S2S VPN to check AD credentials from firewall 1 network.

i think the best thing to do is add your LAN1 subnet in firewall 2 S2S VPN config and also add your LAN2 subnet in firewall 1 config so that both firewalls can see what ip addresses and subnets that are being used on each other side.

have you tried pinging the ip address of your AD from your Firewall 2 and/or LAN2?

Herald Sison · ‎05-18-2022

are you using realms on your FMC? check your ldap attributes are pointing to the correct CN and OU on your AD. try pinging the IP of your AD from your Firewall 2 CLI via SSH.

also in your CLI via SSH of your firewall 2 try this command:

test aaa-server authentication (Your Realms Name) host (Your AD IP Address)