отмена
Отображаются результаты для 
Вместо этого искать 
Вы имели в виду: 
Объявления
Добро пожаловать в Сообщество Технической поддержки Cisco. Мы рады получить обратную связь .
New Member

ASA VPN авторизация через Ldap

Добрый день,

возникла проблема с авторизацией пользователей при подключении по VPN. Ситуация интересна тем, что одни пользователи подключаются успешно другие получают ошибку Loging error в cisco anyconnect. Включал debug ldap 255. При этом создаем нового пользователя user2.ldap он успешно авторизуется.

%ASA-7-609001: Built local-host outside:37.37.37.37
%ASA-6-302013: Built inbound TCP connection 5434768 for outside:37.37.37.37/9895 (37.37.37.37/9895) to identity:38.38.38.38/443 (38.38.38.38/443)
%ASA-6-725001: Starting SSL handshake with client outside:37.37.37.37/9895 to 38.38.38.38/443 for TLS session
%ASA-6-725003: SSL client outside:37.37.37.37/9895 to 38.38.38.38/443 request to resume previous session
%ASA-6-725002: Device completed SSL handshake with client outside:37.37.37.37/9895 to 38.38.38.38/443 for TLSv1.2 session
%ASA-6-302013: Built outbound TCP connection 5434769 for inside:10.32.51.2/636 (10.32.51.2/636) to identity:10.32.8.5/59707 (10.32.8.5/59707)
%ASA-7-711001:
[7563] Session Start
%ASA-7-711001: [7563] New request Session, context 0x00002aaad8033e40, reqType = Authentication
%ASA-7-711001: [7563] Fiber started
%ASA-7-711001: [7563] Creating LDAP context with uri=ldaps://10.32.51.2:636
%ASA-6-725001: Starting SSL handshake with server inside:10.32.8.5/59707 to 10.32.51.2/636 for TLS session
%ASA-7-725009: Device proposes the following 4 cipher(s) to server inside:10.32.8.5/59707 to 10.32.51.2/636
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[4] : DHE-RSA-AES256-SHA
%ASA-7-725013: SSL server inside:10.32.8.5/59707 to 10.32.51.2/636 chooses cipher AES256-SHA
%ASA-6-725005: SSL server inside:10.32.8.5/59707 to 10.32.51.2/636 requesting our device certificate for authentication
%ASA-6-725002: Device completed SSL handshake with server inside:10.32.8.5/59707 to 10.32.51.2/636 for TLSv1.2 session
%ASA-7-711001: [7563] Connect to LDAP server: ldaps://10.32.51.2:636, status = Successful
%ASA-7-711001: [7563] supportedLDAPVersion: value = 3
%ASA-7-711001: [7563] supportedLDAPVersion: value = 2
%ASA-7-711001: [7563] Binding as SSGPO.CvpnS
%ASA-7-711001: [7563] Performing Simple authentication for SSGPO.CvpnS to 10.32.51.2
%ASA-7-711001: [7563] LDAP Search:
Base DN = [OU=SSGPO,DC=group,DC=erg,DC=kz]
Filter = [sAMAccountName=user.ldap]
Scope = [SUBTREE]
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-6-725007: SSL session with server inside:10.32.8.5/59707 to 10.32.51.2/636 terminated
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-6-113013: AAA unable to complete the request Error : reason = AAA Server has been removed : user = user.ldap
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707

ASA5516-VPN#
ASA5516-VPN# %ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-7-710005: TCP request discarded from 10.32.51.2/636 to inside:10.32.8.5/59707
%ASA-6-302014: Teardown TCP connection 5434769 for inside:10.32.51.2/636 to identity:10.32.8.5/59707 duration 0:00:00 bytes 918 TCP Reset by appliance
%ASA-7-711001: [7563] Request for user.ldap returned code (-1) Can't contact LDAP server
%ASA-7-711001: [7563] Talking to Active Directory server 10.32.51.2
%ASA-7-711001: [7563] Failed to get Active Directory current time, ret code(-1) Can't contact LDAP server
%ASA-7-711001: [7563] Fiber exit Tx=333 bytes Rx=565 bytes, status=-3
%ASA-7-711001: [7563] Session End

1 ОТВЕТ
Bronze

Добрый день.

Добрый день.

Попробуйте сделать собственный тест сторонними инструментами, применив параметры:

Base DN = [OU=SSGPO,DC=group,DC=erg,DC=kz]
Filter = [sAMAccountName=user.ldap]

Возможно, что сервер не может дать читаемый ответ для ASA.

С уважением, Александр.

40
Просмотры
0
Полезный материал
1
Ответы
СоздатьДля создания публикации, пожалуйста в систему