I'm trying to configure UserID via our domain controllers in AWS.
We have an HA PA-820 pair on-prem connected to our domain in AWS via a redundant IPsec tunnel. Traffic is passing between LAN and IPsec zones; on-prem workstations can ping both domain controllers. I have configured an LDAP Server Profile, an Authentication Profile, and User Identification.
When I went to set up an LDAP Server Profile, the "Base DN" dropdown did not auto-populate with our domain name, despite the domain controllers' addresses having been entered into the appropriate field. I've manually entered the Base DN, in hopes that it might work, anyway. However, when I try to test the LDAP configuration, I get this:
test authentication authentication-profile domain.org-auth-profile username email@example.com password
Enter password :
Server error :domain.org-auth-profile is invalid authentication-profile.Current target-vsys is none
test -> authentication -> authentication-profile is invalid
In Device > Setup > Service Route Configuration, I have configured LDAP to go through the LAN interface, to no avail. Configuring it to go through one of the tunnel interfaces also hasn't worked. I have configured a security rule to allow traffic from Management to LAN, but I'm not seeing any hits on that rule in the traffic monitor.
What am I missing?
Any help you can provide would be very much appreciated.
Solved! Go to Solution.
What do the traffic logs show? Do you have a policy that allows ldap traffic? Filter by source and destiantion IP's and see if any of the traffic is getting denied or blocked.
Thanks for the reply, Otakar.Klier.
There aren't any entries from the Management interface (184.108.40.206) to the DC, but there are some from the LAN interface (192.168.1.1) to the DCs (10.250.11.50 and 10.250.12.50). Currently, I have rules allowing all LAN traffic to pass through the tunnel, in both directions. Threat scanning and decryption have not yet been configured, so they shouldn't be blocking anything. I also have rules allowing all traffic from Management to/from the tunnel (temporarily). Curiously, neither of those rules are getting hit; instead, it's hitting the Internet egress rule from LAN to WAN.
Based on the incomplete application log. I suspect a routing issue. Double check the virtual router config and make sure that the AS routes are pointed at your tunnel. Could explain why its trying to go out the internet instead.
Hope that helps.
100% what @Otakar.Klier said. When the firewall is doing the route lookup, it is finding no route for the traffic which means it will just use the default route which evidently points to your WAN interface.
Add a static route for 10.250.12/24 (or etc) with interface of tunnel interface and no nexthop IP and your issue will be resolved.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!