12-03-2019 12:47 PM
Hello Team, I need your help
I am trying to configure MFA (AAA or LDAP with Duo) for anyconnect and clientless ssl vpn, I followed the instructions in the following link
but when do test AAA server or try to access the VPN the Duo doesn’t respond to the ASA,
the ASA tries to reach the Duo on port 636 but no response back from Duo, where the Duo is reachable by ICMP.
is there a way to confirm from the Duo Dashboard if the connection on port 636 reaches the Duo.
thanks,
12-04-2019 08:14 AM
If the connection from the ASA didn’t reach Duo’s service, then there is no way that Duo’s Admin Panel (which I think is what you mean by “Duo Dashboard”) can inform you of a connection it didn’t receive.
Have you tried taking a packet capture at your ASA and examining the packets sent to Duo to see what is happening? The capture would show you if the outgoing request ever made it to our service, and if it did, why it was closed without proceeding (maybe an inability to negotiate SSL due to cipher mismatch).
Here’s instructions from Cisco for ASA packet captures: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html
If you’re not sure what to do or need 1:1 troubleshooting assistance then it’s best that you contact Duo support.
12-05-2019 01:08 AM
hello Kristina,
I already took collected captures on my ASA and confirmed the connection in one way direction from ASA to duo without any response from Duo server.
tried to do tracroute for the traffic on port 636 but I got “!A” which indicates the tracroute is restricted in our network.
I tried to reach Duo support but unfortunately till now I didn’t get any feedback from them.
12-05-2019 07:25 AM
confirmed the connection in one way direction from ASA to duo without any response from Duo server
If you don’t get any response at all from the Duo server, not even an ACK, then it sounds like there might be an issue on your network? Check to make sure 636 outbound is permitted at your edge, etc. If you don’t manage your egress devices loop in your networking team to help you.
For your reference and comparison, this is what a successful LDAPS connection looks like (establish connectivity, negotiate SSL, proceed):
09-15-2020 10:00 PM
I’m just curious if you were able to resolve it and what was the reason for it?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: