AAA Timeout when trying to authenticate AnyConnect user across VPN

mumbles202 · ‎04-13-2021

Have a 5512 w/ a working AnyConnect integration w/ LDAP to 2 local domain controllers. Setting up 2 new domain controllers in another site (across a site to site tunnel terminated on this ASA) and I've added them to the ASA in the same LDAP group. If I do a test aaa-server against the 2 new domain controllers for authentication it works successfully, but when I remove the first 2 domain controllers (the ones in the same site as the ASA), logins fail. I did a "debug webvpn anyconnect 255" as well as a "debug aaa authentication" and tested and the only thing I saw in the logs was:

Attempting AAA Fallback method LOCAL for Authentication request for user itsadmin : Auth-server group LDAP unreachable

but if I did a test authentication at the same time it worked. I have to do the "test aaa" twice as it fails the first time as unreachable but then works. I increased the timeout to 12 seconds in the host configuration as well.

Is this not a usable scenario or am I missing something? What I did notice is that with the debugs enabled I don't see the connection request and failure like I would expect. As soon as I re-add the old LDAP server and I'm able to connect I do see the login in the debug.

Francesco Molino · ‎04-14-2021

Hi

When you say you increased the timeout on the host, you meant on the radius server?

You can increase it on the asa configuration as well.

What is your configuration for asa radius? What is the interface used for aaa requests? Is this interface part of the VPN crypto acl?

If the interface used is inside and assuming the nat exempt is done correctly, you can also apply the command: management-access inside

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mumbles202 · ‎04-14-2021

I'm actually using the servers as straight LDAP servers, without Radius. I changed the timer for the host on the ASA in the ldap group configuration.

I'm using the outside interface in the aaa configuration for the 2 new hosts. The ASA interface ip is listed in the crypto map, and if I do a test aaa server I'm able to authenticate. When I had tried using the inside interface for the same host I wasn't able to authenticate.

mumbles202 · ‎04-15-2021

I changed the configuration to use the inside interface and added management-access-inside. I removed the public ip address from the vpn configuration and confirmed I'm able to do a test aaa-server w/o any issues. I still have the same issue however when trying to authenticate w/ AnyConnect. Nothing shows up in the debug output either (debug ldap 255, debug webvpn anyconnect 255, debug aaa-server). If I do a test aaa-server i see the output and as soon as I add back the 2 servers on my LAN I'm able to connect via AnyConnect again.

Francesco Molino · ‎04-17-2021

Can you share the config please?

Also can you run a capture on your asa and on the other end to see if packets are sent and replies coming in?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mumbles202 · ‎04-19-2021

I was just able to figure out the issue. The ASA and LDAP server had a common username that i was using to test, but with different passwords. When I removed the LOCAL from the tunnel-group configuration it worked fine. I then added it back but set the timeout for the aaa-server to 20 seconds and I've been able to connect successfully.

The packet captures on the LDAP server did show the traffic coming from the correct source address.

mumbles202 · ‎04-20-2021

Worked fine last night but this morning I had to remove the LOCAL reference in order for users to authenticate for the vpn again.