01-09-2017 07:58 AM
I have the following setup on our ASA 5516-x
==========================================
aaa-server remote_ldap (inside) host 10.x.x.x
timeout 30
server-port 50002
ldap-base-dn dc=xxxxx, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=remoteldap, cn=Administrators, dc=xxxxx, dc=local
=========================================
But we are unable to complete a test lookup - from ASDM we are receiving error : Authentication Server not responding AAA server ahs been removed.
Using the debug ldap 255 command we see this :
Session Start
New request Session, context 0x00002aaad7fd1820, reqType = Authentication
Fiber started
Creating LDAP context with uri=ldap://10.x.x.x:50002
Connect to LDAP server: ldap://10.x.x.x:50002, status = Successful
supportedLDAPVersion: value = 3
supportedLDAPVersion: value = 2
Binding as remoteldap
Performing Simple authentication for remoteldap to 10.x.x.x
Simple authentication for remoteldap returned code (80) Internal (implementation specific) error [-2147483539] Failed to bind as administrator returned code (-1) Can't contact LDAP server
Fiber exit Tx=225 bytes Rx=671 bytes, status=-2
Session End
Does anyone have any ideas what could be causing this issue?
Solved! Go to Solution.
01-13-2017 07:40 AM
Have you tried removing the line specifying the port and test access without specification of the port?
Is this ldap server working for other devices? Is it possible that there is something wrong in the setup of the server?
HTH
Rick
01-09-2017 01:02 PM
Hello,
can you post the full config of your ASA ?
01-10-2017 01:08 AM
Let me know what part of the configuration you need to help and I will post that part.
Thanks for you help.
01-10-2017 01:12 AM
Actually the full config would be best...
01-10-2017 01:27 AM
01-10-2017 04:53 AM
Hello,
you do not have an ldap attribute-map configured, which means all your VPN users are allowed. I guess that is on purpose ?
I cannot see anything obviously wrong with the config. I would suggest to try and test locally first. The document below describes how you can do that:
https://www.tunnelsup.com/cisco-asa-vpn-authorize-user-based-on-ldap-group/
01-10-2017 07:44 AM
Tested as per the tunnelsup document, but no new info...let me know if this does help though...
01# test aaa-server authentication remote_ldap username xxx password xxx
Server IP Address or name: 10.5.x.x
INFO: Attempting Authentication test to IP address <10.5.x.x> (timeout: 32 seconds)
ERROR: Authentication Server not responding: AAA Server has been removed
01#
[-2147483516] Session Start
[-2147483516] New request Session, context 0x00002aaad7fd1820, reqType = Authentication
[-2147483516] Fiber started
[-2147483516] Creating LDAP context with uri=ldap://10.5.x.x:50002
[-2147483516] Connect to LDAP server: ldap://10.5.x.x:50002, status = Successful
[-2147483516] supportedLDAPVersion: value = 3
[-2147483516] supportedLDAPVersion: value = 2
[-2147483516] Binding as remoteldap
[-2147483516] Performing Simple authentication for remoteldap to 10.5.x.x
[-2147483516] Simple authentication for remoteldap returned code (80) Internal (implementation specific) error
[-2147483516] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483516] Fiber exit Tx=225 bytes Rx=671 bytes, status=-2
[-2147483516] Session End
ERROR: Authentication Server not responding: AAA Server has been removed
01-10-2017 09:00 AM
Hello,
I am not sure but I think you are currently using the local database only. Try to add the server group (which is remote_ldap as far as I can tell from your config):
aaa authentication ssh console remote_ldap LOCAL
01-11-2017 07:49 AM
would this make any difference when testing ldap?
01-13-2017 01:28 AM
Does anyone know what this error actually relates to? I have been unable to find any information which references this code and error message.
Simple authentication for remoteldap returned code (80) Internal (implementation specific) error [-2147483539] Failed to bind as administrator returned code (-1) Can't contact LDAP server
01-13-2017 06:51 AM
Has this ever worked? Or is this a new implementation?
I wonder about the use of port 50002. My experience with ldap has been using ports 389 or 636. I wonder if the problem is the port being used.
HTH
Rick
01-13-2017 06:59 AM
This is a first time setup test. I have tried connecting to a different domain controller using 389 but we have the same issue.
01-13-2017 07:40 AM
Have you tried removing the line specifying the port and test access without specification of the port?
Is this ldap server working for other devices? Is it possible that there is something wrong in the setup of the server?
HTH
Rick
01-13-2017 08:14 AM
Thanks for all help given - This issue is now resolved. Not sure what the issue was but I pointed it at a different domain controller and used an already setup ldap implementation using 389.
01-13-2017 08:20 AM
Thanks for posting back and letting us know that you found a solution to the problem using a different domain controller and using port 389. I am glad that my suggestions pointed you in the right direction.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide