Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1106
Views
0
Helpful
7
Replies

FMC Anyconnect with LDAP AD server

Go to solution
Amills
Level 1
Level 1

ā€Ž09-03-2021 10:20 AM

I followed the directions in this video and document to get AnyConnect configured on the 2110 with FMC. I can connect and get a username and password prompt to come up when I try to connect remotely but it never accepts my credentials. It just flashes and the password field is blank. 

 

 

 

https://www.youtube.com/watch?v=ZZRVAFcSZCA

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214283-configure-anyconnect-ldap-mapping-on-fir.html

 

I've tried going through this tutorial, a vanilla setup, basically not doing Flexconfig and I get the same results. Doesn't like my credentials.

 

https://www.youtube.com/watch?v=ZZRVAFcSZCA

 

https://www.youtube.com/watch?v=ZZRVAFcSZCA
youtube.com/watch?v=ZZRVAFcSZCA
This video features a step by step walk through of configuring Cisco AnyConnect on FTD managed by FMC. Timestamps included for certificate installation, Access Control, Licensing, NAT, and Deployment failures. You can find further details at the Cisco Community: ...
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amills
Level 1
Level 1
In response to Amills

ā€Ž09-07-2021 09:04 AM - edited ā€Ž09-07-2021 12:39 PM

OK, so doing some digging I figured out it was related to DNS, but now I am having issues with access internal resources. Im sure its related to u-turn nat or ACLs. Again, I followed the tutorials listed above, and assuming they are correct in the tutorial, Im not sure what I have wrong on my end. 

I figured out it was the DNS because of this post:

https://community.cisco.com/t5/vpn/community-ask-me-anything-configuration-troubleshooting-and-best/td-p/4058826

 

adding in DNS here fixed that issue.

fmc dns.PNG

 

any vpn policy.JPG

the ANYCONNECT object is the Subnet Anyconnect users are on and SPLIT TUNNEL object has all of our internal subnets in it.

 

nat vpn.JPG

 

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

ā€Ž09-03-2021 03:30 PM

what is the Logs you see on FMC when you try to connect ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

ā€Ž09-04-2021 12:37 AM

Hi,

If its not accepting your creds, then either your account is locked, you
are putting incorrect password, or you need to check the connectivity
between your firepower and identity source.


**** please remember to rate useful posts
0 Helpful

Go to solution
Amills
Level 1
Level 1
In response to Mohammed al Baqari

ā€Ž09-07-2021 07:52 AM - edited ā€Ž09-07-2021 07:56 AM

@balaji.bandi Where do I get the logs, what commands do I run to get the logs? 

 

@Mohammed al Baqari 

I am in the office with my laptop and a Verizon hotspot to test connecting with a VPN. I can login on my desktop PC just fine with my Windows login creds, my account is not locked. When I reconnect the laptop to the local network I can login to Windows. Connectivity was checked.  I've tested VPN in from home and I get the same results of it not accepting my credentials.

 

test to AD success.JPG

 

 

0 Helpful

Go to solution
Amills
Level 1
Level 1
In response to Amills

ā€Ž09-07-2021 08:03 AM

When I go into System > Integration > Realms > Edit Realm > Realm Configuration and "Test AD Join" it fails. however, the directory test succeeds. When I go into "User Download", with the "Download users and groups" checked, I can see all of our user groups configured in Active Directory. We are using Windows Server 2016.

0 Helpful

Go to solution
Amills
Level 1
Level 1
In response to Amills

ā€Ž09-07-2021 08:05 AM

@balaji.bandi 

 

I have these 2 debugs on and I see this output when I try to VPN in.

debug ldap 250
debug aaa common 250

 

firepower# ldap_client_server_add: Add server:0.0.0.0, group=4
ldap_client_server_unlock: Free server:0.0.0.0, group=4
ldap_client_server_add: Add server:0.0.0.0, group=4
ldap_client_server_unlock: Free server:0.0.0.0, group=4

 

0 Helpful

Go to solution
Amills
Level 1
Level 1
In response to Amills

ā€Ž09-07-2021 09:04 AM - edited ā€Ž09-07-2021 12:39 PM

OK, so doing some digging I figured out it was related to DNS, but now I am having issues with access internal resources. Im sure its related to u-turn nat or ACLs. Again, I followed the tutorials listed above, and assuming they are correct in the tutorial, Im not sure what I have wrong on my end. 

I figured out it was the DNS because of this post:

https://community.cisco.com/t5/vpn/community-ask-me-anything-configuration-troubleshooting-and-best/td-p/4058826

 

adding in DNS here fixed that issue.

fmc dns.PNG

 

any vpn policy.JPG

the ANYCONNECT object is the Subnet Anyconnect users are on and SPLIT TUNNEL object has all of our internal subnets in it.

 

nat vpn.JPG

 

 

0 Helpful

Go to solution
Amills
Level 1
Level 1
In response to Amills

ā€Ž09-07-2021 09:41 AM - edited ā€Ž09-07-2021 09:44 AM

OK, I believe I have it all working now.

 

When I tried to go into network shared drives I couldn't access them, however, when I RDP by IP address into servers or my desktop PC I was able to do that. I double checked my U-Turn NAT and access Policies and they checked out OK. I figured it had to do with DNS because I couldn't ping by hostnames. 

 

I went into the Group Policy I use for AnyConnect and added in the VPN subnet under "IP Address Pools" and our internal DNS servers under "DNS/WINS". After adding those in I can access network share drives.

 

any group policy dns.JPGany group policy IPs.JPG

 

0 Helpful
Customers Also Viewed These Support Documents