cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

5577
Views
15
Helpful
5
Replies
Highlighted
Beginner

Unable to contact LDAP server

Once again still struggling with our new ASA. My new problem is authenticating to our MS Domain Controller. It's a 2012r2 controller and for some reason I cannot connect to it.

I can ping it from the ASA no problem, but when I try to test the AAA authentication I get the following message.

 

[-2147483641] Session Start
[-2147483641] New request Session, context 0x00007fff33818ef8, reqType = Authentication
[-2147483641] Fiber started
[-2147483641] Creating LDAP context with uri=ldap://10.2.0.101:389
[-2147483641] Connect to LDAP server: ldap://10.2.0.101:389, status = Failed
[-2147483641] Unable to read rootDSE. Can't contact LDAP server.
[-2147483641] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[-2147483641] Session End

 

Any and all help would be appreciated.

Stacey

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Hi Stacey,

 

Here is the config example for configuring LDAP authentication on Cisco ASA:

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html

Please verify the configs, and also share the Cisco ASA version you are working with.

 

Capturing below debugs on ASA can be helpful in identifying the cause of the issue:

 

debug aaa commom.

 

Regards,

 

Tushar Bangia

 

Note: Please do rate the post if you find it helpful!!

-------------------------------------------------------------

View solution in original post

5 REPLIES 5
Highlighted
Beginner

Hi Stacey,

 

Here is the config example for configuring LDAP authentication on Cisco ASA:

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html

Please verify the configs, and also share the Cisco ASA version you are working with.

 

Capturing below debugs on ASA can be helpful in identifying the cause of the issue:

 

debug aaa commom.

 

Regards,

 

Tushar Bangia

 

Note: Please do rate the post if you find it helpful!!

-------------------------------------------------------------

View solution in original post

Highlighted

Hello All,

I have a 2012R2 DC in native mode and an ASA 5515 running 9.2(2)4 and I am having this exact problem.  

I cannot figure it out and TAC cannot figure it out.  TAC seems to think it is the DC rejecting the LDAP request by resetting something in the transaction between the DC and ASA.  I am doing some digging to determine if I have missed something in the configuration of my 2012R2 server.

I have used Microsoft's LDP.exe from both of my DCs and can connect, BIND and query the Active Directory with the same credentials as I have configured on the ASA.  So, my credentials are good and my DC is responding properly or so it seems.

In the Cisco guide referenced here (http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98625-asa-ldap-authentication.html) why are anonymous LDAP query privileges required?  In the configuration of the AAA, we submit a username and a password to the DC to be able to query.  I have not specifically configured this and and wondering if I need to do so.  I have configured dozens of these solutions in the past but mainly with 2008R2 DCs and not 2012R2.  I have never specifically configured anonymous access because of the security implications.

Does anyone have any thoughts on the matter?

 

-Don

Highlighted
Beginner

Sorry all for not getting back, but it seems the issue was with routing internally. The ASA was sending out requests but it ended up in a loop.

 

 

Highlighted

Hi Stacey,

 

Glad to hear that issue has been fixed. Feel free to post your queries on this forum and we would be glad to help you.

 

Regards,

 

Tushar Bangia

 

Note : Please do rate post if you find it helpful!!

Highlighted

Hello,

anyone figured out what is the problem? I today faced the same issue. 

On the ASA do i need to issue certificate for it? 

On the Windows Server i receive following in the Event Viewer:

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

Thank you

Content for Community-Ad