Troubleshooting RA VPN FTD

 

Having a customer running FTDs managed by FMC configured for remote access vpn. The authentication is performed through LDAP.

 

Taking a request that they can’t login with anyconnect and the message login failed appeared.

Then I resetted my own password from AD as I didn’t save it when I created it (if I don’t save it on KeePass then always need a reset). I tried to login with my credentials and I successfully connected.

 

Then I knew that the issue was with specific user.

I checked the FW config and everything was there correctly!

 

Intead of resetting the password I proceeded with some debugs on the firewall to better understand and find the issue.

Before that I connected on FTD cli then on system support diagnostic-cli 

 

sho debug

debug aaa authentication enabled at level 1

debug aaa authentication enabled at level 1 (persistent)

debug aaa authorization enabled at level 1

debug aaa authorization enabled at level 1 (persistent)

debug aaa accounting enabled at level 1

debug aaa accounting enabled at level 1 (persistent)

debug aaa internal enabled at level 1

debug aaa internal enabled at level 1 (persistent)

debug aaa url-redirect enabled at level 1

debug aaa url-redirect enabled at level 1 (persistent)

debug aaa common enabled at level 1

debug aaa common enabled at level 1 (persistent)

INFO: Webvpn conditional debug is turned ON

INFO: User name filters:

INFO: pro

debug vpn-sessiondb  enabled at level 9

debug vpn-sessiondb  enabled at level 9 (persistent)

debug vpn-session-trace  enabled at level 1

debug vpn-session-trace  enabled at level 1 (persistent)

debug ldap  enabled at level 255

debug ldap  enabled at level 255 (persistent)

INFO: Webvpn conditional debug is turned ON

INFO: User name filters:

INFO: pro

debug webvpn  enabled at level 1

debug webvpn  enabled at level 1 (persistent)

INFO: Webvpn conditional debug is turned ON

INFO: User name filters:

INFO: pro

Debug fxos_parser off

Conditional debug filters:

Conditional debug features:

 

After the debugs I tried to login with the customer credentials

Then I noticed the below:

[583] Binding as pro

[583] Performing Simple authentication for pro to 172.30.1.10

[583] Simple authentication for pro returned code (49) Invalid credentials

[583] Message (pro): 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 775, v4563

[583] Account for pro locked out

 

The issue was clear. I reset the user credentials from AD.

 

Everything worked after that!!


What is your approach of troubleshooting RA VPN issues on FTDs??
You can send me a message through my social media accounts or commend


Source: 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/firepower_threat_defense_vpn_troubleshooting.html


Comments

Post a Comment

Popular posts from this blog

Upgrade WLC / Supplementary image

  Today I had to upgrade an AIROS cisco 2504 WLC. After checking if the APs are supported by the new recommended version I noticed that I had to install the supplementary image also. The reason was that 1602i APs wasn’t supported by the main image in 8.5.171.0 version. Due to image size cisco created separate file for some AP images called Supplementary AP Bundle image. Procedure:   Step 1:   Check the current WLC image (Cisco Controller) >show boot Primary Boot Image............................... 8.3.150.0 (default) (active) Backup Boot Image................................ 8.0.152.0 Step 2: Upload the new image ( AIR-CT2500-K9-8-5-171-0.aes ) I did the below procedure via HTTPS. Verify (Cisco Controller) >show boot Primary Boot Image............................... 8.5.171.0 (default) Backup Boot Image................................ 8.3.150.0 (active) Step 3: Check Supported APs of the new version (Cisco Controller) >show ap bundle primary Primary Version
Read more

Converting lightweigh to standalone AP and vice versa

Connect with console cable to the cisco AP Default credentials Username : cisco Password: Cisco You can find the AP image type by running the command show version When the AP image ends with k9w8 means the AP is lightweight When the AP image ends with k9w7 means the AP is Standalone AP7cad.74ff.975e> sho version Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JK2, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2020 by Cisco Systems, Inc. Compiled Wed 01-Apr-20 04:25 by prod_rel_team ROM: Bootstrap program is C3700 boot loader BOOTLDR: C3700 Boot Loader (AP3G2-BOOT-M) LoaderVersion 15.2(4)JB, RELEASE SOFTWARE (fc1) AP7cad.74ff.975e uptime is 5 minutes System returned to ROM by power-on System image file is "flash:/ap3g2- k9w8 -mx.153-3.JK2/ap3g2-k9w8-xx.153-3.JK2" Last reload reason: Reason Not Known To convert the AP from lightweight to standalone please follow the below pro
Read more

ISE Direct Upgrade URT

Run Upgrade Readiness Tool (URT) to validate config DB upgrade from 2.7,3.0,3.1 to 3.2. This is a signed bundle for image integrity (ise-urtbundle-3.2.0.542a-1.0.0.SPA.x86_64.tar.gz) In this case i am running ise 3.1 patch 7 and will upgrade to 3.2 As we are running an HA the URT need to run on secondary admin node. Got the below error once i tried to run it on Primary Checking ISE persona ======================================================   - Failed (URT can only be run on Secondary Admin Node or Standalone % Application install or upgrade cancelled. ise03/admin# ====================================================== *Note When you need to run it on secondary note, you have to generate on secondary the key (crypto host_key add host 10.10.10.10) and then you can run the URT. Below is URT logging ise04/adMIN# application install ise-urtbundle-3.2.0.542a-1.0.0.SPA.x86_64.tar.gz  ""SFTP-SRV01"" Save the current ADE-OS running configuration? (yes/no) [yes] ? yes Gen
Read more