Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Active Directory issues and ASA 5510

We are running an ASA 5510 w/ 8.0(3) code that is isolating vendor systems from our network. We have an enterprise AD structure and the vendor has an internal AD structure for their system. Their systems exist on our network in a non-routed VLAN and the ASA has an interface inside that VLAN for traffic. If I disable the ASA interface, all connectivity within the VLAN functions normally (and I stress within the VLAN). If I enable the interface, the devices can no longer authenticate nor map network shares within the VLAN. A packet capture finds master browser elections that no one answers while the interface is enabled but the AD server answers when the interface is off. I have tried denying all traffic across the interface and even allowing all traffic. NETBIOS inspect, DNS inspect are turned on in the default inspect policy. Yes, the allow traffic between hosts on the same interface is enable as well. All the devices are physically connected to the same switch and exists in the same VLAN. Please forgive the lack of logs at this moment, I can't access them from home but will add in another post tomorrow. Any guidance or suggestions to look for is appreciated.

joe Bronze

Re: Active Directory issues and ASA 5510

First regarding AD, i have had more than my share of this lately with my clients ;)

Please explain more about the relationship with the AD connections?

Are your servers multi-homed in their DMZ with dual-nics?

Could their be a simple IP conflict between the ASA (include nat's as ARP plays into this) and their servers? How have you checked this? look at arp -a on the servers... make sure you dont have arp entries for servers coming back to the ASA's mac address...

have you setup a trust between your servers? one-way? two-way?

What does eventvwr show? who error messages?

please give us these answers and we can continue helping you solve this?

Would you be open to me coming in with you on webex and helping you solve this?



New Member

Re: Active Directory issues and ASA 5510

Thanks for the response Joe..

The two AD's mentioned are completely seperate, no trusts, no DMZ, no nothing. Their AD is in place to authenticate their workstations to their db server. Another system within their setup sends data to two specific systems on the private side of our network. I haven't looked at the arps' on their server but I can and will. We assigned the ip range for their systems and we check for duplicates before assigning them, but who knows.

The vendor server (and workstations) event logs sho very generic and non-descript error messages relating to SMB errors.

Sadly, the powers that be in my workplace do not allow Webex unless it is written in as support on a contract :(

Thank you again for your response.


New Member

Re: Active Directory issues and ASA 5510

There was a duplicate arp entry on the server.I deleted it and am awaiting the results. Thanks again for the info.