cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
857
Views
0
Helpful
1
Replies

LDAP communication through cisco site-to-site VPN

ceezr1997
Level 1
Level 1

Hello everyone, n00b here.

We had a cisco tech help us out today so it wasnt I, the n00b, configuring the routers and ASA.

So let me explain.

We have a domain with 3 childs, all in a Paetec MPLS.  One of these childs was taken out of the MPLS today and was put on a comcast business line, therefore outside our ASA firewall.

To keep this kicked out child within the domain a vpn tunnel was created using an ASA 5550 at our colo site which routes traffic to the outside child whenever MPLS traffics needs to reach it.  A few changes on Paetecs side and we were pinging and remote desktop-ing from the kicked off child domain controller.  We thought "great, we're done, lets get the fudge out".

We were wrong...

Later in the evening a user residing in this child domain could not connect via vpn nor check his webmail.  Oh-oh!

So I log into the child server and I can still ping every server in the domain, opened AD users&computers to check the users account to see if it was blocked, it was not.

So I log into another DC from another domain, I can still ping and access the share of the kicked off child BUT active directory gives me the following when trying to connect to that domain to manage the users:

------------------
Active Directory
---------------------------
The domain baftl could not be found because:
The specified domain either does not exist or could not be contacted.

---------------------------
OK  
---------------------------

WTF?!?!?

This happens with our other 4 DC's when trying to connect to the kicked off child, yet they can access its shares (all the servers that have shares can be contacted by ALL servers).  The only diff I notice is that when accessing a share of the kicked off child it prompts to authenticate with a network user/pass.  Once auth you can access the shares.

Now, I am thinking that this could be an LDAP and cisco vpn tunnel issue, but I would have no clue.

I've ran dcdiag and dnsdcdiag on the DC of the kicked off child as well as our main DC in the root domain that holds all the FSMO roles and for the life of me I do not see any FAILS or ERRORS that can guide me in the right direction.

Does the tunnel block LDAP?

WTF is going on?!?!?

Please help!

Thanks,

cesar    

1 Reply 1

lgijssel
Level 9
Level 9

Does the vpn tunnel match traffic on ip or on tcp-udp port level?

LDAP uses TCP transport by default. When this traffic is encrypted, it probablly uses ESP which is not matched by an tcp/udp tunnel.

The vpn should match on ip addresses, otherwise this may be your issue.

Another possibility the DF-bit. Many types of AD-related traffic have this bit set, probably for security reasons.

A vpn tunnel has a considerably smaller mtu than a lan connection because of the encryption overhead.

This is probably why Microsoft machines default to an mtu of 1300.

If you have changed this to a higher value, then the tunnel may drop some traffic.

It may also be that the provider does support a smaller mtu that 1500.

Alternatively, the encryption of LDAP may introduce a double encryption header on the vpn with similar effects.

regards,

Leo

Review Cisco Networking for a $25 gift card