LDAP connection failing from ASA

[FloDiggs]

I've been using LDAP to authenticate administrators to our ASA's, but I've recently run into a problem. It's been working fine for about 5 months, but this past week, administrators have been getting LDAP logins rejected, and it falls back to local authentication. The AD servers are working fine for every other AD dependent application, but the ASA's are crapping out. This is what I get when debugging aaa authentication:

[15789] Session Start
[15789] New request Session, context 0xccb03598, reqType = Authentication
[15789] Fiber started
[15789] Creating LDAP context with uri=ldap://x.x.x.254:389
[15789] Connect to LDAP server: ldap://x.x.x.254:389, status = Successful
[15789] While getting rootDSE, LDAP server x.x.x.254 returned code (-1) Can't contact LDAP server
[15789] This LDAP server does not support V3 protocol.
[15789] Binding as LDAPReadOnly
[15789] Performing Simple authentication for LDAPReadOnly to x.x.x.254
[15789] Simple authentication for LDAPReadOnly returned code (-1) Can't contact LDAP server
[15789] Failed to bind as LDAPReadOnly returned code (-1) Can't contact LDAP server
[15789] Fiber exit Tx=145 bytes Rx=0 bytes, status=-2
[15789] Session End
Marking server DC1 down in servertag LDAPServers

I've done some searching, but I'm not coming up with much of anything. I've tried changing the user used to bind to the LDAP servers to a user with domain admin priveleges, but that doesn't work either.

It's ASA 8.2(1) binding to Windows 2003 x64 R2 SP2. Any help would be appreciated.

 

[North323]

any changes in your environment that can be attributed?

 

[FloDiggs]

No significant changes. Several weeks ago, I changed the LDAP config to look multiple levels beneath the base DN, but there were no issues until yesterday. The only other changes would be Windows Updates, IPS signature updates, and anti-virus updates. No events on the IPS, and not anti-virus alerts either. Unless I figure something out pretty quick, I'm putting a call into Cisco.

 

[North323]

You can configure the security appliance to authenticate and authorize IPSec VPN users, SSL VPN clients, and WebVPN users to an LDAP directory server. During authentication, the security appliance acts as a client proxy to the LDAP server for the VPN user, and authenticates to the LDAP server in either plain text or using the Simple Authentication and Security Layer (SASL) protocol. The security appliance supports any LDAP V3 or V2 compliant directory server. It supports password management features only on the Sun Microsystems Java System Directory Server and the Microsoft Active Directory server.

what version are you trying to use on the asa? looks like v3, can you change that to v2?

 

[unclerico]

i've been having a similar issue with my 5510 using RADIUS (MS IAS). right now i'm running 8.2(2) code. it had been running fine for about one year and then all of the sudden late last week it decides to be stubborn. i've got it configured to use two different RADIUS servers so when the main one gets marked as FAILED then the second one takes over, but if i go back in and administratively override the status to ACTIVE then it works for a while and then it fails. the same thing happens to webfiltering. i'm running websense and it too has been fine for six plus months and then every now and again the websense server will be marked as DOWN but then will come back up a few minutes later, rinse and repeat. all other devices that depend on RADIUS for authentication (other firewalls, routers, switches, 802.1x for wireless) work fine, it's just this firewall. cpu and memory utilization are normal. i've got a case open with TAC at this moment so they can be my second set of eyes.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[FloDiggs]

Must be a seperate issue then. My RADIUS users are authenticating just fine; it's only the LDAP users.

 

[North323]

is it possible the IPS on the device is killing that server?

 

[FloDiggs]

RADIUS is running on the same servers I am using for LDAP. Also, I have not had any related events in the IPS. I also don't see a way to configure LDAPv2.

 

[tcambridge]

FloDiggs,

I realize this is from earlier this year but I am wondering if you ever found a resolution. I'm running into the same problem and came across your post.

Tim

Tim
Certified AND Qualified

 

[FloDiggs]

The issue ended up being a change to the rules in SurfControl, our web filtering solution. I don't know if that helps or not, but it is what ended up being our problem.

 

[tcambridge]

Thanks for the info. Was it blocking 389/636? Or was it something else? I'm not using anything to filter web traffic other than the ASA. But this problem has been going on for a month or so but there haven't been any changes to the ASA. The only other thing I can think of is something with the Windows DCs.

Tim
Certified AND Qualified

 

[FloDiggs]

SurfControl's rules changed to block all undefined traffic. Even though the ASA's subnet was not supposed to be monitored, I had to add a specific exception into SurfControl to allow LDAP authentication. SurfControl wasn't even configured to monitor port 636, which is why I neglected to look at SurfControl in the first place, but it was blocking it for some reason. What finally tipped us off was the time of day it was failing. Sometimes it would work, but the majority of the time it didn't. The times it worked were the times of day where our SurfControl rules loosened up the Internet restrictions to allow our employees to do some personal browsing. During those 'open' times of the day, it worked fine. Like I said, it took us a while to catch the pattern.

Have you tried using WireShark on your DCs to see what they are seeing?

 

[tcambridge]

Gotta love it when your system throws you a curve ball!

Haven't tried WS yet but will do that later on today. Thanks again for the info and the assist.

Tim
Certified AND Qualified