Cisco CDA and Windows-Firewall

Unanswered Question
Aug 17th, 2012
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN


I just wanted to migrate from the AD-Agent to the CDA but I'm running into some problems with the windows firewall. That's the situation:

- The AD_Agent was running fine (with Windows-Firewall on DC enabled).

- The CDA can connect to my DC when I disable the Windows-Firewall

- The CDA can not communicate to my DC when I enable the Windows-Firewall. The error is:




An internal error occurred. [0x8001FFFF]



- I use the same user-account I used for the AD_Agent. The permissions for the two registry-keys that are stated in the install-guide are set.

- The rule for "Windows Management Instrumentation (WMI)" in Windows-Firewall is activated.

- The DC is running a german Windows 2008 R2. In the CDA-documentation I didn't find any hint that a localized Windows is unsupported, so I hpre that this is not the problem.

Any hints what I could be missing?

Don't stop after you've improved your network! Improve the world by lending money to the working poor:       

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
eshabat Tue, 08/21/2012 - 01:09
User Badges:

Hi Karsten,

Localized versions are supported, so that is probably not the issue here.

You can create a custom rule in the Windows firewall to allow udp and tcp traffic from the CDA and see if it solves your problem.



mvassigh Tue, 03/05/2013 - 10:04
User Badges:
  • Cisco Employee,

Hello Karsten, Erez,

I have noticed the same issue and error message. The only quick-fix was a FW-Policy allowing CDA-TCP connectivity to Windows-AD.

This is somehow strange, as I followed the latest CDA-Patch documents and did insert the WMI-Firewall-Access policy already, but this was not enough though.

To me it looks like some RPC/DCOM mapping is not opened for CDA to access the AD-Server.



s.fasel Mon, 11/25/2013 - 22:45
User Badges:

Hello Michael,

I also have noticed the same issue.

Your solution that create a FW rule to open all TCP ports between CDA and Windows-AD works fine.

But is there no another solution (more securely) ?

Thanks for your response

Best regards



This Discussion

Related Content