Hi Cristian,

Many thanks for getting back to me.

I have had a look at the crypto-maps and there isn't anything in there for the actual Outside IP of our firewall going to that host/ subnet I dont think?

We have crypto maps for our internal subnets to the Azure subnets.

This is shown below from our Firewall:

   Crypto map tag: Outside_map, seq num: 5, local addr: 212.139.167.114

      access-list Outside_cryptomap_3 extended permit ip 10.36.144.0 255.255.240.0 10.38.144.0 255.255.240.0 
      local ident (addr/mask/prot/port): (10.36.144.0/255.255.240.0/0/0)
      remote ident (addr/mask/prot/port): (10.38.144.0/255.255.240.0/0/0)
      current_peer: 51.140.251.238

      local crypto endpt.: 212.139.167.114/0, remote crypto endpt.: 51.140.251.238/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 4D42CF3A
      current inbound spi : F0634956

Does the above cover what we need, or do I need to add another crypto map?

Sorry im a bit of a newbie when it comes to VPN's. apologies if this is really basic!

Brendan

Hi,

   You just need to add a new entry in your ACL which defines the encryption domain: "outside_cryptomap_3":

access-list outside_cryptomap_3 permit ip host FIREWALL_OUTSIDE_PUBLIC_IP host LDAP_PRIVATE_IP(10.38.145.20)

   An entry in Azure VPN configuration needs to be added as well, with ACL entry in mirror (swap source with destination).

Regards,

Cristian Matei.

Hi Cristian,

Thanks so much for helping me out on this!

I have got further. I added the crypto map and added it to the Azure side. Its pretty basic the configuration so I only had the option to add subnets or hosts to the address space of the gateway so I added "OUTSIDE_IP/32"

Good news I can now TCP Ping on port 389 from the ASA!

Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 10.38.145.20 port 389
from 212.139.167.114, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 15/15/15 ms

Bad news is that Im still getting errors with the VPN.

Debug still shows the below:

[-2147483637] Session Start
[-2147483637] New request Session, context 0x00007f1a6b820c60, reqType = Authentication
[-2147483637] Fiber started
[-2147483637] Creating LDAP context with uri=ldap://10.38.145.20:389
[-2147483637] Connect to LDAP server: ldap://10.38.145.20:389, status = Failed
[-2147483637] Unable to read rootDSE. Can't contact LDAP server.
[-2147483637] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[-2147483637] Session End

[3858] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[3858] Session End

I don't see why its still not working? Have you got any idea why.

Thanks so much!

Hi,

   Can you post your LDAP server configuration, or even better the whole config?

Regards,

Cristian Matei.

aaa-server LDAPSERVERS protocol ldap
aaa-server LDAPSERVERS (Outside) host 10.38.145.18
 server-type auto-detect
aaa-server LDAPSERVERS (Outside) host 10.38.145.20
 server-type auto-detect

I'd have to ask boss if comfortable pasting whole config, not sure if thats a security risk. Sorry, I know you want to help but I don't want to get fired for pasting confidential stuff :)

Is the above of any further help?

Hi,

    So there is now connectivity with the remote side. Can you "clear crypto ipsec sa counters", trigger the ASA to send LDAP requests, issue "show crypto ipsec sa peer x.x.x.x detail" couple of times and post the output. Also, you sure that everything is good on the other side, is the ASA's public IP address allowed to speak LDAP with the server, is the service running?

Regards,

Cristian Matei.

Hi Cristian,

I got further at the weekend, It now seems to work when I run it via the test option in the ASDM console

Crypto map tag: Outside_map, seq num: 5, local addr: 212.139.167.114

      access-list Outside_cryptomap_3 extended permit ip host 212.139.167.114 host 10.38.145.20 
      local ident (addr/mask/prot/port): (212.139.167.114/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.38.145.20/255.255.255.255/0/0)
      current_peer: 51.140.251.238


      #pkts encaps: 60, #pkts encrypt: 60, #pkts digest: 60
      #pkts decaps: 44, #pkts decrypt: 39, #pkts verify: 39
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 60, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 5, #pkts invalid len (rcv): 0
      #pkts invalid pad (rcv): 0,
      #pkts invalid ip version (rcv): 0,
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 212.139.167.114/0, remote crypto endpt.: 51.140.251.238/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 1E49B9A2
      current inbound spi : ED0FF3E2

    inbound esp sas:
      spi: 0xED0FF3E2 (3977245666)
         SA State: active
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3799, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (97199978/3316)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000FFF 0xFFFFC7FD
    outbound esp sas:
      spi: 0x1E49B9A2 (508148130)
         SA State: active
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3799, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (97199994/3316)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

However, when I try to connect with the anyconnect client, I get the the following in the debug log:

[4069] Processing LDAP response for user usertest1
[4069] Message (usertest1): 
[4069] Authentication successful for usertest1 to 10.38.145.20
*
Lots more sensitive info then...
[4069] Fiber exit Tx=718 bytes Rx=17970 bytes, status=1

All I get on the vpn client is the following

If I keep trying it, even with the correct details, I get the following and its like it cant see it again.

If i then wait a while, it seems to "work" by connecting again once or twice.

[4075] Session Start
[4075] New request Session, context 0x00007f1a6b820c60, reqType = Authentication
[4075] Fiber started
[4075] Creating LDAP context with uri=ldap://10.38.145.20:389
[4075] Connect to LDAP server: ldap://10.38.145.20:389, status = Failed
[4075] Unable to read rootDSE. Can't contact LDAP server.
[4075] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[4075] Session End

The VPN is stable so I don't know what is going on.

Bit of a strange one this, it was working fine before I moved the LDAP Server. I think we are close now! Any ideas now? Thanks so much!

Hi,

   Can you try the following for a couple of LDAP users and see what the end result is: "test aaa-server authentication LDAPSERVERS username xyz password xyz" ?

   Can you post the AnyConnect DART logs an the ASA configuration? You could PM those to me, in case you don't want to post it here.

Regards,

Cristian Matei.

See PM.

With the other test, for the LDAP, i just "Authentication Successful" when I tried a couple of users.

Hi,

    Can you try using the latest ASA version 9.8(4), i think it's 9.8(4)17? Also, disable IPv6 on the end-system where AnyConnect is deployed. What version of Anyconnect are you using? Can you test a VPN session from another end-station?

Regards,

Cristian Matei.