VPN / IdentityRealm using AWS simpleAD over site to site VPN

daz10000 · ‎09-05-2018

I am using the Firepower Threat Defense on the Firepower 2100 series chassis and attempting to set up a remote access VPN. To establish the IdentityRealm, I am trying to use a simpleAD instance hosted on AWS. We have a working site to site VPN and onsite hosts inside our office network can reach / use the AWS hosted simpleAD instance. When I attempt to use the simpleAD instance however from the Cisco device as a directory service for the identity realm, and test, it times out after approximately 10 seconds with this error:

Cannot connect to realm. Messages returned:
(For identity policies) The connection test failed.
(For RA VPN authentication) ERROR: Authentication Server not responding

I have not been able to inspect the logs at the AWS end yet, but suspect the lookup is not getting routed correctly over the site to site VPN. Where would that traffic originate from? Is there anything special I need to do to get it onto the site to site vpn? (all our inside network addresses seem to route properly and can see the AD server). Any thoughts appreciated,

Darren

daz10000 · ‎09-06-2018

Update: I am reasonably certain now that no packets are entering the AWS end of the network. The most likely cause is that the site to site VPN is not routing the directory lookup traffic . When the cisco device itself is connecting (or trying to connect to the directory, what is the originating IP?). We have all our inside networks capable of connecting over the site to site VPN, but for traffic originating on the cisco device, what is the source IP?

daz10000 · ‎09-10-2018

I was unable to resolve this and cisco support wasn't familiar with the device either (they are trying to find someone who is), so abandoning this line of attack and going with a proxy onsite. Everything in docs suggests this should be possible but wasn't worth the time effort unfortunately.