03-24-2020 03:01 AM
Hi,
We have a Cisco ASA firewall 5512 version 9.9. We have recently moved our DNS servers to Azure (Accessed over a site to site VPN). Before we had no issues with the ClientSSL VPN, now, when I enter the new LDAP server address and set it to the Outside interface (which I believe is correct as its over a VPN although I did try the Inside interface too with same issue) I just get timeout. Doing a debug on the ASA shows the following:
[3813] Creating LDAP context with uri=ldap://10.38.145.20:389
[3813] Connect to LDAP server: ldap://10.38.145.20:389, status = Failed
[3813] Unable to read rootDSE. Can't contact LDAP server.
[3813] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
How can I get it to see the Domain Controllers in azure? I can connect to LDAP fine from my client PC, the issues seems to be getting it to work from the ASA.
I tried pinging the remote network from the ASA but I do not get a response via TCP or ICMP pings. PC's on the internal network are responding fine but the issue appears to be just for the ASA.
Do I need to add anything into the config to allow me to access resources on the other end of the tunnel from the firewall initiating it?
Thanks!
Brendan
03-24-2020 03:54 AM
Hi,
Assuming 10.38.145.20 is the IP address of the LDAP server and x.x.x.x is the outside IP of your ASA, did you match on traffic from your ASA outside IP to the LDAP server in your crypto-act, like "permit ip host x.x.x.x host 10.38.145.20"; this has to be done on the other side as well, with the ACL entry in mirror.
If it still doesn't work, post the output of the following, while trying to authenticate against the LDAP server:
debug ldap 128
debug aaa common
show crypto ipsec sa peer AZURE_VPM
Regards,
Cristian Matei.
03-24-2020 05:02 AM
Hi Cristian,
Many thanks for getting back to me.
I have had a look at the crypto-maps and there isn't anything in there for the actual Outside IP of our firewall going to that host/ subnet I dont think?
We have crypto maps for our internal subnets to the Azure subnets.
This is shown below from our Firewall:
Crypto map tag: Outside_map, seq num: 5, local addr: 212.139.167.114 access-list Outside_cryptomap_3 extended permit ip 10.36.144.0 255.255.240.0 10.38.144.0 255.255.240.0 local ident (addr/mask/prot/port): (10.36.144.0/255.255.240.0/0/0) remote ident (addr/mask/prot/port): (10.38.144.0/255.255.240.0/0/0) current_peer: 51.140.251.238 local crypto endpt.: 212.139.167.114/0, remote crypto endpt.: 51.140.251.238/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 4D42CF3A current inbound spi : F0634956
Does the above cover what we need, or do I need to add another crypto map?
Sorry im a bit of a newbie when it comes to VPN's. apologies if this is really basic!
Brendan
03-24-2020 08:54 AM
Hi,
You just need to add a new entry in your ACL which defines the encryption domain: "outside_cryptomap_3":
access-list outside_cryptomap_3 permit ip host FIREWALL_OUTSIDE_PUBLIC_IP host LDAP_PRIVATE_IP(10.38.145.20)
An entry in Azure VPN configuration needs to be added as well, with ACL entry in mirror (swap source with destination).
Regards,
Cristian Matei.
03-25-2020 01:45 AM
Hi Cristian,
Thanks so much for helping me out on this!
I have got further. I added the crypto map and added it to the Azure side. Its pretty basic the configuration so I only had the option to add subnets or hosts to the address space of the gateway so I added "OUTSIDE_IP/32"
Good news I can now TCP Ping on port 389 from the ASA!
Type escape sequence to abort. No source specified. Pinging from identity interface. Sending 5 TCP SYN requests to 10.38.145.20 port 389 from 212.139.167.114, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 15/15/15 ms
Bad news is that Im still getting errors with the VPN.
Debug still shows the below:
[-2147483637] Session Start
[-2147483637] New request Session, context 0x00007f1a6b820c60, reqType = Authentication
[-2147483637] Fiber started
[-2147483637] Creating LDAP context with uri=ldap://10.38.145.20:389
[-2147483637] Connect to LDAP server: ldap://10.38.145.20:389, status = Failed
[-2147483637] Unable to read rootDSE. Can't contact LDAP server.
[-2147483637] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[-2147483637] Session End
[3858] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2 [3858] Session End
I don't see why its still not working? Have you got any idea why.
Thanks so much!
03-25-2020 03:55 AM
Hi,
Can you post your LDAP server configuration, or even better the whole config?
Regards,
Cristian Matei.
03-25-2020 04:27 AM
aaa-server LDAPSERVERS protocol ldap aaa-server LDAPSERVERS (Outside) host 10.38.145.18 server-type auto-detect aaa-server LDAPSERVERS (Outside) host 10.38.145.20 server-type auto-detect
I'd have to ask boss if comfortable pasting whole config, not sure if thats a security risk. Sorry, I know you want to help but I don't want to get fired for pasting confidential stuff :)
Is the above of any further help?
03-27-2020 05:44 AM
Hi,
So there is now connectivity with the remote side. Can you "clear crypto ipsec sa counters", trigger the ASA to send LDAP requests, issue "show crypto ipsec sa peer x.x.x.x detail" couple of times and post the output. Also, you sure that everything is good on the other side, is the ASA's public IP address allowed to speak LDAP with the server, is the service running?
Regards,
Cristian Matei.
03-30-2020 12:22 AM
Hi Cristian,
I got further at the weekend, It now seems to work when I run it via the test option in the ASDM console
Crypto map tag: Outside_map, seq num: 5, local addr: 212.139.167.114 access-list Outside_cryptomap_3 extended permit ip host 212.139.167.114 host 10.38.145.20 local ident (addr/mask/prot/port): (212.139.167.114/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (10.38.145.20/255.255.255.255/0/0) current_peer: 51.140.251.238 #pkts encaps: 60, #pkts encrypt: 60, #pkts digest: 60 #pkts decaps: 44, #pkts decrypt: 39, #pkts verify: 39 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 60, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #pkts no sa (send): 0, #pkts invalid sa (rcv): 0 #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0 #pkts invalid prot (rcv): 0, #pkts verify failed: 0 #pkts invalid identity (rcv): 5, #pkts invalid len (rcv): 0 #pkts invalid pad (rcv): 0, #pkts invalid ip version (rcv): 0, #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0 #pkts replay failed (rcv): 0 #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0 #pkts internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: 212.139.167.114/0, remote crypto endpt.: 51.140.251.238/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 1E49B9A2 current inbound spi : ED0FF3E2 inbound esp sas: spi: 0xED0FF3E2 (3977245666) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 3799, crypto-map: Outside_map sa timing: remaining key lifetime (kB/sec): (97199978/3316) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000FFF 0xFFFFC7FD outbound esp sas: spi: 0x1E49B9A2 (508148130) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 3799, crypto-map: Outside_map sa timing: remaining key lifetime (kB/sec): (97199994/3316) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
However, when I try to connect with the anyconnect client, I get the the following in the debug log:
[4069] Processing LDAP response for user usertest1 [4069] Message (usertest1): [4069] Authentication successful for usertest1 to 10.38.145.20 * Lots more sensitive info then... [4069] Fiber exit Tx=718 bytes Rx=17970 bytes, status=1
All I get on the vpn client is the following
If I keep trying it, even with the correct details, I get the following and its like it cant see it again.
If i then wait a while, it seems to "work" by connecting again once or twice.
[4075] Session Start [4075] New request Session, context 0x00007f1a6b820c60, reqType = Authentication [4075] Fiber started [4075] Creating LDAP context with uri=ldap://10.38.145.20:389 [4075] Connect to LDAP server: ldap://10.38.145.20:389, status = Failed [4075] Unable to read rootDSE. Can't contact LDAP server. [4075] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2 [4075] Session End
The VPN is stable so I don't know what is going on.
Bit of a strange one this, it was working fine before I moved the LDAP Server. I think we are close now! Any ideas now? Thanks so much!
03-30-2020 12:58 AM
Hi,
Can you try the following for a couple of LDAP users and see what the end result is: "test aaa-server authentication LDAPSERVERS username xyz password xyz" ?
Can you post the AnyConnect DART logs an the ASA configuration? You could PM those to me, in case you don't want to post it here.
Regards,
Cristian Matei.
03-30-2020 03:22 AM
See PM.
With the other test, for the LDAP, i just "Authentication Successful" when I tried a couple of users.
03-30-2020 04:45 AM
Hi,
Can you try using the latest ASA version 9.8(4), i think it's 9.8(4)17? Also, disable IPv6 on the end-system where AnyConnect is deployed. What version of Anyconnect are you using? Can you test a VPN session from another end-station?
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide