Active Directory issues and ASA 5510

Unanswered Question
Aug 7th, 2008
User Badges:

We are running an ASA 5510 w/ 8.0(3) code that is isolating vendor systems from our network. We have an enterprise AD structure and the vendor has an internal AD structure for their system. Their systems exist on our network in a non-routed VLAN and the ASA has an interface inside that VLAN for traffic. If I disable the ASA interface, all connectivity within the VLAN functions normally (and I stress within the VLAN). If I enable the interface, the devices can no longer authenticate nor map network shares within the VLAN. A packet capture finds master browser elections that no one answers while the interface is enabled but the AD server answers when the interface is off. I have tried denying all traffic across the interface and even allowing all traffic. NETBIOS inspect, DNS inspect are turned on in the default inspect policy. Yes, the allow traffic between hosts on the same interface is enable as well. All the devices are physically connected to the same switch and exists in the same VLAN. Please forgive the lack of logs at this moment, I can't access them from home but will add in another post tomorrow. Any guidance or suggestions to look for is appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

First regarding AD, i have had more than my share of this lately with my clients ;)


Please explain more about the relationship with the AD connections?


Are your servers multi-homed in their DMZ with dual-nics?


Could their be a simple IP conflict between the ASA (include nat's as ARP plays into this) and their servers? How have you checked this? look at arp -a on the servers... make sure you dont have arp entries for servers coming back to the ASA's mac address...


have you setup a trust between your servers? one-way? two-way?


What does eventvwr show? who error messages?


please give us these answers and we can continue helping you solve this?


Would you be open to me coming in with you on webex and helping you solve this?


Thanks,


Joe

vhabilthornc Fri, 08/08/2008 - 05:30
User Badges:

Thanks for the response Joe..


The two AD's mentioned are completely seperate, no trusts, no DMZ, no nothing. Their AD is in place to authenticate their workstations to their db server. Another system within their setup sends data to two specific systems on the private side of our network. I haven't looked at the arps' on their server but I can and will. We assigned the ip range for their systems and we check for duplicates before assigning them, but who knows.


The vendor server (and workstations) event logs sho very generic and non-descript error messages relating to SMB errors.


Sadly, the powers that be in my workplace do not allow Webex unless it is written in as support on a contract :(


Thank you again for your response.


Chuck

vhabilthornc Fri, 08/08/2008 - 12:19
User Badges:

There was a duplicate arp entry on the server.I deleted it and am awaiting the results. Thanks again for the info.


Chuck

Actions

This Discussion