DC and ADC Synchronization through ASA 5580

Unanswered Question
Mar 29th, 2010

Hi , I have a Windows 2008 server acing as DC connected to one of the interface of ASA 5580, and have couple of ADC in the branches which are connected to different interfaces of ASA.  The routing is happening through the ASA. When trying to do DCPROMO on the ADC it’s giving an error.  Natting is not there in the ASA and I have access-list configured for “Permit IP Any any ” for all interface.  Any clue wht could be the problem ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Mon, 03/29/2010 - 04:46

When you say there is no NATing, where is the traffic to and from? High security level interface to low, or low security level interface to high?

rajeeshp Mon, 03/29/2010 - 04:54

Both are with the same security level and I have

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

configured on the ASA.

Jennifer Halim Mon, 03/29/2010 - 04:58

OK, but you still need to configure static NAT to itself eventhough same-security-traffic permit inter-interface has been configured as that is for the ACL, not for NAT.

rajeeshp Mon, 03/29/2010 - 04:58

To add to my previous post;  I can ping the DC from the ADC, there is no basic communication issue.  Network reachability is there.

Jennifer Halim Mon, 03/29/2010 - 05:13

1) Please check the syslog to see if it's being blocked by the firewall.

2) Run packet capture on both interfaces with ACL just between the DC and ADC:

access-list cap-test permit ip host host

access-list cap-test permit ip host host

capture cap-DC access-list cap-test interface

capture cap-ADC access-list cap-test interface

Try the "DCPROMO", and check the packet capture to see where it is breaking.

kloc_marek Sun, 04/11/2010 - 12:21

Probably, dcerpc inspection drop some comunication. Try "sh policy-map" and search in dcerpc section, number of drop packet.


This Discussion