Hi Gururajan,

 

I need you to clarify what exactly you mean by all three connected via site to site ? As in FMC is the management centre device where you perform the configuration for site to site for the other two FTD's. This is my understanding, please let me know if you mean something else.

 

Now when you say remote access is working in Limerick, which means accessing FMC itself remotely is working fine.

 

When you are trying to access the India location, I believe you mean anyconnect connection and not device access, and that anyconnect connection is failing with error "authentication failure". 

First of all verify that aaa server is configured correctly on problematic FTD and we can check from the CLI, via the command

"test aaa server" for a specific user to see we have proper reachability to AAA server from the FTD or not.

 

-

Pulkit

HI Punkit,

 

My FMC , Radius servers are located in Limerick. One FTD 2110 is in chennai and one FTD 1010 is in bangalore. All 3 are interconnected with Site to SIte VPN and i can access the FMC only through Local IP (Limerick IP address).

 

When i checked try to connect AAA authentication from bangalore FTD CLI.

firepower# test aaa-server authentication BSB_RadiusServer host 192.168.0.198
Username: Gururajan.s
Password: ***********
INFO: Attempting Authentication test to IP address (192.168.0.198) (timeout: 32
ERROR: Authentication Server not responding: No response from server

 

But from bangalore local PC i can able to reach the Radius server 192.168.0.198 by ping , but when i tried from FTD CLI its not connecting 

SO FTD cannot able to reach AAA server(Limerick ), since its connected Via site to site VPN and i cannot able to connect from bangalore.

 

 

Hello @Gururajansrinivasan32898 

FTD will do a route lookup to reach your Radius server, the result will be that is reachable through the outside interface where you have configured the L2L VPN. Most likely that VPN has only defined the subnets from Limerick, Chennai and Bangalore so when the RA clients connect to Chennai and Bangalore those FTD will try to reach the Radius server sourcing the traffic from their Outside IP.

What you need to do is to include the outside IPs of Chennai and Bangalore in the VPN interesting traffic. On Limerick make sure the NAT exemption from the Radius server to the Chennai and Bangalore IPs is in place.

 

Regards,

Gustavo

 

Hi @Gururajansrinivasan32898

As Gustavo pointed out, we need to have the interesting traffic for the VPN's to be modified with inclusion of your outside interface IP's of Chennai and Bangalore.
This comes from the fact that local users behind these FTD's are able to reach the AAA server, as it is part of the interesting VPN traffic.

-
Pulkit

Hello Gustavo,

 

Can you please provide the document how to enable interesting traffic in outside interface to get the AAA server authenticated.

Hi Piotr,

I find your question interesting, I would like to hop in :)

We are currently using address pools at the firewall since these are more efficient than assigning an IP through an internal DHCP server but the drawback is just that hostname-to-ip mapping from the DNS server may be incorrect since it relay solely on the Active Directory login mapping.

Now I was thinking to use DHCP from an internal server since we use Active Directory integrated DHCP, it should update also the A record for the specific host, I am just afraid this may not be efficient unless the DHCP lease is very short (say 30 minutes with renewals every 15 minutes) but then I would mean 2 things

A) DHCP server(s) becomes single point of failure or at least critical to the infrastructure (due to the short lease)
B) most users connects at the same time so that means that short DHCP lease would generate quite some traffic all at the same time more or less (say conncurrent 1000 users connected generates an average of 500 (!) dhcp renewals at the same time every 15 minutes for a DHCP lease of 30 minutes!)

Questions:
so from my side I wanted to ask if
1) is it possible to use address pools but update a DNS server ?
2) is it possible to use the Firewall internal DHCP server for Remote Access lease and if yes update a DNS server with the lease information?
3) Is it reasonable and sustainable to instead use a DHCP server for 500-1000 (and more) average concurrent users and keep a short DHCP lease? if yes would that mitigate the issue seen by Piotr and how that would be best scaled?

Thanks in advance!

Hello @PiotrB ,

As of now, logon scripts are not supported on AnyConnect connecting to an FTD device managed by FMC or FDM because they do not support any customization.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/firepower_threat_defense_remote_access_vpns.html

 

The following AnyConnect features are not supported when connecting to an FTD secure gateway:

• Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.

• Posture variants such as Hostscan and Endpoint Posture Assessment, and any Dynamic Access Policies based on the client posture.

• AnyConnect Customization and Localization support. The FTD device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.

Hi Guys,

 

As @jgrudier mentioned, we do not support customization yet. This is on the roadmap for 6.8 however, what is not supported is pushing the script to the clients. If you modify the XML profile and push it to the clients along with your OnConnect script to the right location it will work. You can follow the AC admin guide for general understanding of the feature:

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/customize-localize-anyconnect.html#ID-1408-00000396

 

@giovanni.augusto  When it comes to DNS updates for DHCP how it works is that the ASA/FTD passes in the host name (NOT FQDN, this is an ENH for FQDN)via DHCP and everything else is up to the DHCP server and how it communicates with the DDNS environment.

Something that can be done is is to have Windows clients directly communicate to DDNS servers for registration.

-Gustavo

 

 

 

Hello Sheraz,

Great to hear from you!

I did a quick test and the following command works for me on FTD
openssl pkcs12 -export -out FTD1.pfx -inkey FTD1.key -in FTD1.cer

Please note I used "Base 64 encoded" format of ID certificate signed by CA.
Can you please confirm what error you get when you attempt to create the .pfx certificate and what is the format of your ID certificate ?

Regards,
Dinesh Moudgil

Hi Dinesh,

 

I get this error. no idea what am i missing here.

 

FTD1:~$ openssl pkcs12 -export -out FTD1.pfx -inkey FTD1.key -in FTD1.cer -certfile Root.cer
No certificate matches private key

 

I double checked I have

-FTD1:~$ cat FTD1.crt
-----BEGIN CERTIFICATE-----
MIIFJjCCAw4CCQCDyDsSbw5UITANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJH

 

FTD1:~$ cat FTD1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA1v91avgdvjcer+kznBdjRUGmXbqkwlNZl+sV5rMK52OgSUET

 

FTD1:~$ cat FTD1.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICuzCCAaMCAQAwdjELMAkGA1UEBhMCR0IxEzARBgNVBAgMCkxhbmNhc2hpcmUx

Hi Sheraz,

 

It appears that private key that you use in the command is not associated with the certificate you are importing.

 

Can you please check if the correct files are called in the command?

You don't necessarily need to generate such CSR on FTD. It can be generated on any other device that supports OpenSSL.

 

I did a test with inclusion of CA cert and that works on FTD as well:

openssl pkcs12 -export -out FTD2.pfx -inkey FTD1.key -in FTD1.cer -certfile CA.cer

 

The variables that might be different are that I am using .cer extension and Base 64 encoding.

 

Regards,

Dinesh Moudgil