Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2756
Views
0
Helpful
4
Replies

Duo doesn't respond to ASA

A_sem_Abushgeir
Level 1
Level 1

‎12-03-2019 12:47 PM

Hello Team, I need your help

I am trying to configure MFA (AAA or LDAP with Duo) for anyconnect and clientless ssl vpn, I followed the instructions in the following link

but when do test AAA server or try to access the VPN the Duo doesn’t respond to the ASA,

the ASA tries to reach the Duo on port 636 but no response back from Duo, where the Duo is reachable by ICMP.

is there a way to confirm from the Duo Dashboard if the connection on port 636 reaches the Duo.

thanks,

Labels:
0 Helpful
4 Replies 4

DuoKristina
Cisco Employee
Cisco Employee

‎12-04-2019 08:14 AM

If the connection from the ASA didn’t reach Duo’s service, then there is no way that Duo’s Admin Panel (which I think is what you mean by “Duo Dashboard”) can inform you of a connection it didn’t receive.

Have you tried taking a packet capture at your ASA and examining the packets sent to Duo to see what is happening? The capture would show you if the outgoing request ever made it to our service, and if it did, why it was closed without proceeding (maybe an inability to negotiate SSL due to cipher mismatch).

Here’s instructions from Cisco for ASA packet captures: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

If you’re not sure what to do or need 1:1 troubleshooting assistance then it’s best that you contact Duo support.

Duo, not DUO.
0 Helpful

A_sem_Abushgeir
Level 1
Level 1
In response to DuoKristina

‎12-05-2019 01:08 AM

hello Kristina,

I already took collected captures on my ASA and confirmed the connection in one way direction from ASA to duo without any response from Duo server.

tried to do tracroute for the traffic on port 636 but I got “!A” which indicates the tracroute is restricted in our network.

I tried to reach Duo support but unfortunately till now I didn’t get any feedback from them.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to A_sem_Abushgeir

‎12-05-2019 07:25 AM

confirmed the connection in one way direction from ASA to duo without any response from Duo server

If you don’t get any response at all from the Duo server, not even an ACK, then it sounds like there might be an issue on your network? Check to make sure 636 outbound is permitted at your edge, etc. If you don’t manage your egress devices loop in your networking team to help you.

For your reference and comparison, this is what a successful LDAPS connection looks like (establish connectivity, negotiate SSL, proceed):

2X_e_ededa25ff8d3e1204fa5704c0287dcb5ec20aca0.jpeg

Duo, not DUO.
0 Helpful

Aleksandr Rykhlov
Level 1
Level 1
In response to A_sem_Abushgeir

‎09-15-2020 10:00 PM

I’m just curious if you were able to resolve it and what was the reason for it?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents