03-04-2015 03:17 PM - edited 03-11-2019 10:35 PM
Once again still struggling with our new ASA. My new problem is authenticating to our MS Domain Controller. It's a 2012r2 controller and for some reason I cannot connect to it.
I can ping it from the ASA no problem, but when I try to test the AAA authentication I get the following message.
[-2147483641] Session Start
[-2147483641] New request Session, context 0x00007fff33818ef8, reqType = Authentication
[-2147483641] Fiber started
[-2147483641] Creating LDAP context with uri=ldap://10.2.0.101:389
[-2147483641] Connect to LDAP server: ldap://10.2.0.101:389, status = Failed
[-2147483641] Unable to read rootDSE. Can't contact LDAP server.
[-2147483641] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[-2147483641] Session End
Any and all help would be appreciated.
Stacey
Solved! Go to Solution.
03-04-2015 09:23 PM
Hi Stacey,
Here is the config example for configuring LDAP authentication on Cisco ASA:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html
Please verify the configs, and also share the Cisco ASA version you are working with.
Capturing below debugs on ASA can be helpful in identifying the cause of the issue:
debug aaa commom.
Regards,
Tushar Bangia
Note: Please do rate the post if you find it helpful!!
-------------------------------------------------------------
03-04-2015 09:23 PM
Hi Stacey,
Here is the config example for configuring LDAP authentication on Cisco ASA:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html
Please verify the configs, and also share the Cisco ASA version you are working with.
Capturing below debugs on ASA can be helpful in identifying the cause of the issue:
debug aaa commom.
Regards,
Tushar Bangia
Note: Please do rate the post if you find it helpful!!
-------------------------------------------------------------
02-03-2016 09:02 PM
Hello All,
I have a 2012R2 DC in native mode and an ASA 5515 running 9.2(2)4 and I am having this exact problem.
I cannot figure it out and TAC cannot figure it out. TAC seems to think it is the DC rejecting the LDAP request by resetting something in the transaction between the DC and ASA. I am doing some digging to determine if I have missed something in the configuration of my 2012R2 server.
I have used Microsoft's LDP.exe from both of my DCs and can connect, BIND and query the Active Directory with the same credentials as I have configured on the ASA. So, my credentials are good and my DC is responding properly or so it seems.
In the Cisco guide referenced here (http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html) why are anonymous LDAP query privileges required? In the configuration of the AAA, we submit a username and a password to the DC to be able to query. I have not specifically configured this and and wondering if I need to do so. I have configured dozens of these solutions in the past but mainly with 2008R2 DCs and not 2012R2. I have never specifically configured anonymous access because of the security implications.
Does anyone have any thoughts on the matter?
-Don
03-09-2015 07:20 AM
Sorry all for not getting back, but it seems the issue was with routing internally. The ASA was sending out requests but it ended up in a loop.
03-09-2015 08:19 PM
Hi Stacey,
Glad to hear that issue has been fixed. Feel free to post your queries on this forum and we would be glad to help you.
Regards,
Tushar Bangia
Note : Please do rate post if you find it helpful!!
01-27-2017 03:28 AM
Hello,
anyone figured out what is the problem? I today faced the same issue.
On the ASA do i need to issue certificate for it?
On the Windows Server i receive following in the Event Viewer:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide