- After updating DCs from 2008R2 to 2016 LDAPS stopped working. Using plain LDAP works just fine.
- LDAPS is running just fine on DSs and its serving others servers as expected. Only issues with LDAPS are with ASAs.
- RootCA that is issuing certifates to DCs didn't change
- system clocks are in same time
ASA versions
5520 9.1(7)19
5545x 9.6(3)1
Configuration
aaa-server AD (inside) host A.B.C.D ldap-base-dn DC=x,DC=y,DC=z ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=d,OU=c,OU=b,OU=a,DC=x,DC=y,DC=z ldap-over-ssl enable server-type microsoft ldap-attribute-map VPN-LDAP-MAP
Debugs
test aaa-server authentication AD host A.B.C.D username test password test [-2147483625] Session Start [-2147483625] New request Session, context 0x74b43ccc, reqType = Authentication [-2147483625] Fiber started [-2147483625] Creating LDAP context with uri=ldaps://A.B.C.D:636 [-2147483625] Connect to LDAP server: ldaps://A.B.C.D:636, status = Failed [-2147483625] Unable to read rootDSE. Can't contact LDAP server. [-2147483625] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2 [-2147483625] Session End ERROR: Authentication Server not responding: AAA Server has been removed
NMAP enum ciphers
nmap -p 636 --script ldap-rootdse A.B.C.D -Pn TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D | TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D | TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D | TLS_RSA_WITH_RC4_128_SHA (rsa 1024) - D | TLS_RSA_WITH_RC4_128_MD5 (rsa 1024) - D
Any ideas what to do next?
No comments:
Post a Comment