05-11-2012 02:47 PM - edited 03-11-2019 04:06 PM
Short story, for a remote access VPN, i'm trying to auth against an ldap server on the outside of my branch office. The branch office has an ASA 5505 sec plus. The LDAAP server is in a data center behind a 5520, though it is statically nated to an external IP address.
When I try and test auth against my ldap server though, I get an error saying that the ldap server id not respond. however, I can see a tcp reset on the asa, and have captured some packets:
TCP reset:
Teardown TCP connection xxx for outside ldap.ldap.ldap.ldap/389 to identity:asa.asa.asa.asa/2807 duration 0:00:21 bytes 286 TCP Reset-I
Packet Capture:
show cap capout
12 packets captured
1: 13:00:11.836214 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: S 2552064091:2552064091(0) win 8192 <mss 1380,sackOK,nop,nop,nop,nop,timestamp 539401482 263829745>
2: 13:00:11.853532 802.1Q vlan#2 P0 LDAP.LDAP.LDAP.LDAP.389 > ASA.ASA.ASA.ASA.2807: S 830582830:830582830(0) ack 2552064092 win 8192 <mss 1380,sackOK,timestamp 263895589 539401482>
3: 13:00:11.853624 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: . ack 830582831 win 8192 <nop,nop,timestamp 539401499 263895589>
4: 13:00:11.853776 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: P 2552064092:2552064237(145) ack 830582831 win 8192 <nop,nop,timestamp 539401500 263895589>
5: 13:00:11.877853 802.1Q vlan#2 P0 LDAP.LDAP.LDAP.LDAP.389 > ASA.ASA.ASA.ASA.2807: P 830582831:830583323(492) ack 2552064237 win 64296 <nop,nop,timestamp 263895591 539401500>
6: 13:00:11.877914 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: . ack 830583323 win 8192 <nop,nop,timestamp 539401524 263895591>
7: 13:00:11.878311 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: P 2552064237:2552064304(67) ack 830583323 win 8192 <nop,nop,timestamp 539401524 263895591>
8: 13:00:11.999109 802.1Q vlan#2 P0 LDAP.LDAP.LDAP.LDAP.389 > ASA.ASA.ASA.ASA.2807: P 830583323:830583433(110) ack 2552064304 win 64229 <nop,nop,timestamp 263895603 539401524>
9: 13:00:11.999185 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: . ack 830583433 win 8192 <nop,nop,timestamp 539401645 263895603>
10: 13:00:11.999444 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: P 2552064304:2552064311(7) ack 830583433 win 8192 <nop,nop,timestamp 539401645 263895603>
11: 13:00:11.999551 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: FP 2552064311:2552064311(0) ack 830583433 win 8192 <nop,nop,timestamp 539401645 263895603>
12: 13:00:12.019103 802.1Q vlan#2 P0 LDAP.LDAP.LDAP.LDAP.389 > ASA.ASA.ASA.ASA.2807: R 830583433:830583433(0) ack 2552064311 win 0
12 packets shown
I know I'm querying over 389, I can switch to secure after I get this working(initially tried secure, but same results). The asa.asa.asa.asa address is the external IP of the branch office 5505.
Can someone help tell me what I'm looking at?
05-13-2012 02:42 AM
Try to run "debug ldap" and see if it gives you more information.
From the packet capture, it seems that the 3 way handshake is succesfull, so TCP wise is OK. Seems to be more ldap problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide