Cisco ASA anyconnect LDAP authentication over ipsec vpn?

Ashley K
Ashley K used Ask the Experts™
on
I feel like this is a simple fix but I'm kind of tearing my hair out here.

Scenario:
Client has 2 sites A & B

Site A: remote office, no AD server on site but existing ASA 5505 with anyconnect  licenses
Site B: cloud hosted servers including AD with ASA 5585 with anyconnect licenses.

The users can connect to either, depending on what resources they need and the availability of licenses, and they both authenticate with LDAP.

Site B network:
10.10.0.0/24
ldap server 10.10.0.10

LDAP auth works fine here. No worries.

Site A network:
10.10.100.0/24
ldap server 10.10.0.10

LDAP is not working. Traffic works between these 2 networks just fine, everything is up and running, all devices can see the ldap server (windows, btw) BUT the ASA cannot connect to the 10.10.0.10 server when testing.

[-2147483634] New request Session, context 0x00007fff2a7fdfe8, reqType = Authentication
[-2147483634] Fiber started
[-2147483634] Creating LDAP context with uri=ldap://10.10.0.10:389
[-2147483634] Connect to LDAP server: ldap://10.10.0.10:389, status = Failed
[-2147483634] Unable to read rootDSE. Can't contact LDAP server.
[-2147483634] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[-2147483634] Session End

I just can't seem to figure out why? ASA ping tests and packet trackers work fine from 10.10.100.0 to 10.10.0.10 and visa versa unless I use the source ip as the inside interface ip of the ASA itself. This seems like normal behavior?

I'm more of a systems person, networking is not my strong suit but, this is part of a project and I need this local vpn up and working.

Any information is appreciated!


I can provide configs but Id prefer not to without some serious scrubbing
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Presumably you have setup a site to site VPN what source ip does site b Asa use, does it use 10.10.0.1 presumably that is its LAN ip.
Issue, if it uses another IP it would not match the VPN criteria.

What are your site to site access-list and inter lan communication. Are LAN to LAN traffic exempt from ACL nat inside 0 nonat exempting inter LAN traffic, or you have bat inside 1 allowing for specific traffic?
Pete LongTechnical Consultant

Commented:
Also at Site B make sure you LDAP server is specifies as (outside) not inside (assuming you interfaces are called outside and inside).

Pete
Ashley KSystems Engineer

Author

Commented:
Sorry for the delay, since I work for an MSP we have a lot of clients to interface with and I haven't had time to prune both configs of any sensitive data. I have attached Site B's config however.
localnetwork.txt
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2017

Commented:
based on your site B, you use Site A's DNS server 10.10.0.10 10.10.0.11 so it seems you allow port 53 through the VPN, though I am not able to see where.
Double check whether on Site A you allow access to ldap on 10.10.0.10 ... it might be everything is allowed out of Site B but the LDAp requests are being denied on Site A's inbound VPN acl rule look for dropped packets.
Ashley KSystems Engineer

Author

Commented:
I'm able to telnet to the port from site B to 10.10.0.10. I don't have any restrictions on access between the 2 sites so everything should be open.

Yes, DNS is fed to this ASA through the domain controller at site A. temporarily, we have a DC on site that is replicating from the cloud to allow authentication to this VPN, but long term the client wants no servers at site A.

I'm scrubbing Site A's config now. I'll post it once I get it cleaned up. Its a newer site so theres less.. age.. in the config lol. There's a lot of stuff in B's config that could probably be taken out. Especially after the servers are scrapped.
Distinguished Expert 2017

Commented:
Please try debug the aaaa requests from site B in an effort to see from where and to where the packet is being sent I.e..

The other part, LDAP connection requires credentials, I do not believe I saw a reference to credentials that the connection to LDAP would use.

Have you considered, setting up NPS radius and use radius versus trying to use LDAP........ To query the remote AD?
Distinguished Expert 2017

Commented:
I reloaded at the config, you do have credentials, using administrator. IMHO, you shoukd setup and use a new account as a service account for this purpose. Administrator will inevitable change the password, which will cause many issues as a consequence.



The test remains it might be a failure to locate/match .....
Ashley KSystems Engineer

Author

Commented:
I've had several people mention radius to me, but from memory, it requires you to configure the role on the server doesn't it? It may work but it sounds like a lot more complicated a solution.

Yes there were a number of local accounts, I scrubbed them out of the config.
Ashley KSystems Engineer

Author

Commented:
Added scrubbed site b config. This is where the DCs live, and where the site A firewall should be reaching out for LDAP.

I have a feeling the problem lies on this end. I'm not sure why.. I just do.
siteb.txt
Systems Engineer
Commented:
I thought you might like to know what solved this problem.

I worked with one of our net admin folks and he was able to help me get it working. We made the following changes:
1. created an object on both ends for the external ips of both sites.
2. added this to the existing vpn tunnel networks
3. created a nat rule to allow traffic to flow between the 2 sites
4.  changed the LDAP authentication object from inside to outside  interface.

All is working now! Thank you all so much for the brainstorming!
Ashley KSystems Engineer

Author

Commented:
I worked with our internal techs and we were able to figure it out. It wasn't any of the solutions provided here.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial