Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3022
Views
0
Helpful
1
Replies

TCP Reset-I while trying to do LDAP auth in AAA

AdmShatan
Level 1
Level 1

‎05-11-2012 02:47 PM - edited ‎03-11-2019 04:06 PM

Short story, for a remote access VPN, i'm trying to auth against an ldap server on the outside of my branch office.  The branch office has an ASA 5505 sec plus.  The LDAAP server is in a data center behind a 5520, though it is statically nated to an external IP address. 

When I try and test auth against my ldap server though, I get an error saying that the ldap server id not respond.  however, I can see a tcp reset on the asa, and have captured some packets:

TCP reset:

Teardown TCP connection xxx for outside ldap.ldap.ldap.ldap/389 to identity:asa.asa.asa.asa/2807 duration 0:00:21 bytes 286 TCP Reset-I

Packet Capture:

show cap capout

12 packets captured

   1: 13:00:11.836214 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: S 2552064091:2552064091(0) win 8192 <mss 1380,sackOK,nop,nop,nop,nop,timestamp 539401482 263829745>
   2: 13:00:11.853532 802.1Q vlan#2 P0 LDAP.LDAP.LDAP.LDAP.389 > ASA.ASA.ASA.ASA.2807: S 830582830:830582830(0) ack 2552064092 win 8192 <mss 1380,sackOK,timestamp 263895589 539401482>
   3: 13:00:11.853624 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: . ack 830582831 win 8192 <nop,nop,timestamp 539401499 263895589>
   4: 13:00:11.853776 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: P 2552064092:2552064237(145) ack 830582831 win 8192 <nop,nop,timestamp 539401500 263895589>
   5: 13:00:11.877853 802.1Q vlan#2 P0 LDAP.LDAP.LDAP.LDAP.389 > ASA.ASA.ASA.ASA.2807: P 830582831:830583323(492) ack 2552064237 win 64296 <nop,nop,timestamp 263895591 539401500>
   6: 13:00:11.877914 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: . ack 830583323 win 8192 <nop,nop,timestamp 539401524 263895591>
   7: 13:00:11.878311 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: P 2552064237:2552064304(67) ack 830583323 win 8192 <nop,nop,timestamp 539401524 263895591>
   8: 13:00:11.999109 802.1Q vlan#2 P0 LDAP.LDAP.LDAP.LDAP.389 > ASA.ASA.ASA.ASA.2807: P 830583323:830583433(110) ack 2552064304 win 64229 <nop,nop,timestamp 263895603 539401524>
   9: 13:00:11.999185 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: . ack 830583433 win 8192 <nop,nop,timestamp 539401645 263895603>
  10: 13:00:11.999444 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: P 2552064304:2552064311(7) ack 830583433 win 8192 <nop,nop,timestamp 539401645 263895603>
  11: 13:00:11.999551 802.1Q vlan#2 P0 ASA.ASA.ASA.ASA.2807 > LDAP.LDAP.LDAP.LDAP.389: FP 2552064311:2552064311(0) ack 830583433 win 8192 <nop,nop,timestamp 539401645 263895603>
  12: 13:00:12.019103 802.1Q vlan#2 P0 LDAP.LDAP.LDAP.LDAP.389 > ASA.ASA.ASA.ASA.2807: R 830583433:830583433(0) ack 2552064311 win 0
12 packets shown

I know I'm querying over 389, I can switch to secure after I get this working(initially tried secure, but same results).  The asa.asa.asa.asa address is the external IP of the branch office 5505.

Can someone help tell me what I'm looking at?

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-13-2012 02:42 AM

Try to run "debug ldap" and see if it gives you more information.

From the packet capture, it seems that the 3 way handshake is succesfull, so TCP wise is OK. Seems to be more ldap problem.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card