Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9888
Views
15
Helpful
5
Replies

Unable to contact LDAP server

Go to solution
Stacey Hummer
Level 1
Level 1

‎03-04-2015 03:17 PM - edited ‎03-11-2019 10:35 PM

Once again still struggling with our new ASA. My new problem is authenticating to our MS Domain Controller. It's a 2012r2 controller and for some reason I cannot connect to it.

I can ping it from the ASA no problem, but when I try to test the AAA authentication I get the following message.

 

[-2147483641] Session Start
[-2147483641] New request Session, context 0x00007fff33818ef8, reqType = Authentication
[-2147483641] Fiber started
[-2147483641] Creating LDAP context with uri=ldap://10.2.0.101:389
[-2147483641] Connect to LDAP server: ldap://10.2.0.101:389, status = Failed
[-2147483641] Unable to read rootDSE. Can't contact LDAP server.
[-2147483641] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[-2147483641] Session End

 

Any and all help would be appreciated.

Stacey

7 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tushar Bangia
Level 1
Level 1

‎03-04-2015 09:23 PM

Hi Stacey,

 

Here is the config example for configuring LDAP authentication on Cisco ASA:

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html

Please verify the configs, and also share the Cisco ASA version you are working with.

 

Capturing below debugs on ASA can be helpful in identifying the cause of the issue:

 

debug aaa commom.

 

Regards,

 

Tushar Bangia

 

Note: Please do rate the post if you find it helpful!!

-------------------------------------------------------------

View solution in original post

5 Replies 5

Go to solution
Tushar Bangia
Level 1
Level 1

‎03-04-2015 09:23 PM

Hi Stacey,

 

Here is the config example for configuring LDAP authentication on Cisco ASA:

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html

Please verify the configs, and also share the Cisco ASA version you are working with.

 

Capturing below debugs on ASA can be helpful in identifying the cause of the issue:

 

debug aaa commom.

 

Regards,

 

Tushar Bangia

 

Note: Please do rate the post if you find it helpful!!

-------------------------------------------------------------

Go to solution
dneumann
Level 1
Level 1
In response to Tushar Bangia

‎02-03-2016 09:02 PM

Hello All,

I have a 2012R2 DC in native mode and an ASA 5515 running 9.2(2)4 and I am having this exact problem.  

I cannot figure it out and TAC cannot figure it out.  TAC seems to think it is the DC rejecting the LDAP request by resetting something in the transaction between the DC and ASA.  I am doing some digging to determine if I have missed something in the configuration of my 2012R2 server.

I have used Microsoft's LDP.exe from both of my DCs and can connect, BIND and query the Active Directory with the same credentials as I have configured on the ASA.  So, my credentials are good and my DC is responding properly or so it seems.

In the Cisco guide referenced here (http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html) why are anonymous LDAP query privileges required?  In the configuration of the AAA, we submit a username and a password to the DC to be able to query.  I have not specifically configured this and and wondering if I need to do so.  I have configured dozens of these solutions in the past but mainly with 2008R2 DCs and not 2012R2.  I have never specifically configured anonymous access because of the security implications.

Does anyone have any thoughts on the matter?

 

-Don

0 Helpful

Go to solution
Stacey Hummer
Level 1
Level 1

‎03-09-2015 07:20 AM

Sorry all for not getting back, but it seems the issue was with routing internally. The ASA was sending out requests but it ended up in a loop.

 

 

0 Helpful

Go to solution
Tushar Bangia
Level 1
Level 1
In response to Stacey Hummer

‎03-09-2015 08:19 PM

Hi Stacey,

 

Glad to hear that issue has been fixed. Feel free to post your queries on this forum and we would be glad to help you.

 

Regards,

 

Tushar Bangia

 

Note : Please do rate post if you find it helpful!!

Go to solution
Alexander Vasilev
Level 1
Level 1

‎01-27-2017 03:28 AM

Hello,

anyone figured out what is the problem? I today faced the same issue. 

On the ASA do i need to issue certificate for it? 

On the Windows Server i receive following in the Event Viewer:

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

Thank you

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card