Duo doesn't respond to ASA

Hello Team, I need your help

I am trying to configure MFA (AAA or LDAP with Duo) for anyconnect and clientless ssl vpn, I followed the instructions in the following link

but when do test AAA server or try to access the VPN the Duo doesn’t respond to the ASA,

the ASA tries to reach the Duo on port 636 but no response back from Duo, where the Duo is reachable by ICMP.

is there a way to confirm from the Duo Dashboard if the connection on port 636 reaches the Duo.

thanks,

If the connection from the ASA didn’t reach Duo’s service, then there is no way that Duo’s Admin Panel (which I think is what you mean by “Duo Dashboard”) can inform you of a connection it didn’t receive.

Have you tried taking a packet capture at your ASA and examining the packets sent to Duo to see what is happening? The capture would show you if the outgoing request ever made it to our service, and if it did, why it was closed without proceeding (maybe an inability to negotiate SSL due to cipher mismatch).

Here’s instructions from Cisco for ASA packet captures: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

If you’re not sure what to do or need 1:1 troubleshooting assistance then it’s best that you contact Duo support.

hello Kristina,

I already took collected captures on my ASA and confirmed the connection in one way direction from ASA to duo without any response from Duo server.

tried to do tracroute for the traffic on port 636 but I got “!A” which indicates the tracroute is restricted in our network.

I tried to reach Duo support but unfortunately till now I didn’t get any feedback from them.

confirmed the connection in one way direction from ASA to duo without any response from Duo server

If you don’t get any response at all from the Duo server, not even an ACK, then it sounds like there might be an issue on your network? Check to make sure 636 outbound is permitted at your edge, etc. If you don’t manage your egress devices loop in your networking team to help you.

For your reference and comparison, this is what a successful LDAPS connection looks like (establish connectivity, negotiate SSL, proceed):