Skip to main content

ASA 5520 - Issues (not sure if its nat or.. )

More
15 years 1 month ago #32168 by RossM
Hi All,

I have an issue with my ASA5520.

I am trying to setup VPN Auth via AD and have been successful in the past but this time something isnt quite right.

I get ERROR: Authorization Server not responding: AAA server has been removed. Googling suggested that this was reaching the server, but the logon details/LDAP String was incorrect.

When I look in the log on the AD I do not see any attempt to login etc... and when I look at the ASA log I see an oddity.... (which maybe a complete red herring to the problem above)

Instead of seeing From ASA to ADServer:389 I see it back to front... i.e as if the request is coming from the ADServer to the ASA.

Configuration:

Have static route for 10.15.20.0/23 to goto 10.1.1.1

Inside Interface: 10.1.1.2

So in essence i have 2 networks behind that 1 interface.
Internet works fine and appears normal in the log, I can ping from the ASA to the AD server and vise versa and that appears fine.

If I do a packet tracer from 10.1.1.25 to 10.15.20.21 that goes through fine. If I do 10.1.1.2 to 10.15.20.21 it fails saying it doesnt match the ACL rule. (even though I have set these up)

I have seen this before in that if the ASA knows it cannot get to the destination, it stops it before it goes out of the interface(?) and gives a bogus error.

Ive been working on this for the past day or so and have asked around a could of other cisco savvy people and they are stumped... Any help very gratefully received :)

Ross
More
15 years 1 month ago #32170 by RossM
UPDATE:

Total red herring, after dble and tripple checking the LDAP string noticed the AD displayname was in caps and everything else was lowercase... changed to all lower case am able to authenticate etc. However, would still like to know/fix the issue re: the log being the wrong way round.
Time to create page: 0.111 seconds