Authentication not working over BOVPN
We have a Firebox M200 running XTM 11.9.6 (yes, it's old. I inherited it off the previous sysadmin and haven't got around to updating yet).
We changed Internet connection and since then were unable to authenticate through the Firebox to the AD. I also changed the IP on one of the vlans.
Current interface setup is:
- eth0 - WAN
- eth1 - LAN
- eth2 - VLAN
- VLAN 200 - Wifi
- VLAN 300 - Guest WIFI
The AD is a managed AD in AWS and the Firebox is connected via a BOVPN. Interesting thing is the workstations on the LAN can authenticate and ping the the AD servers across the BOVPN.
Using the Authentication > Servers > Test Connection for LDAP and Active Directory, I receive 'Connect to server: Failed (can't connect to 172.31.33.242[server is down or unreachable])'
Using Dashboard > Traffic Monitor I get the following:
2020-12-29 20:25:43 admd admPrcsAction: xpath=/authentication/diagnose 2020-12-29 20:25:43 admd admActionTestUser:get rqst [[email protected]] 2020-12-29 20:25:43 admd admGetNextAuthRqstSessId() got sessId=65584 2020-12-29 20:25:43 admd Use [domain.com.au] Svr#1 ip=0xac1f21f2 domain-name= port= 389 Score=0 2020-12-29 20:25:43 admd admActionTestUser: create hash entry OK, Id=65584 2020-12-29 20:25:43 admd admLdapSessInit: LDAP URI is ldap://[ip of ad server]:389 2020-12-29 20:25:43 admd admLdapSessInit: set LDAP referrals off for AD server ok. 2020-12-29 20:25:43 admd admLdapSessInit: ldap_initialize succeed, connHdl=0x100af240 2020-12-29 20:25:43 admd admLdapSessStartBinding: building user DN by searchBase==>OU=orgUnit,DC=domain,DC=com,DC=au 2020-12-29 20:25:43 admd admLdapSessStartBinding: dnsSuffix=[domain.com.au] 2020-12-29 20:25:43 admd admLdapSessStartBinding: search binding, using built user DN==>[email protected] 2020-12-29 20:25:48 admd admLdapSessStartBinding: search binding failed, msgId=-1, err=(null) 2020-12-29 20:25:48 admd ADM auth user [[email protected]] Error, Reason - Ldap binding not successful 2020-12-29 20:25:48 admd Authentication of Firewall user [[email protected]] from console rejected, unknown reason id="1100-0005" 2020-12-29 20:25:48 admd ct=47 **** SessHashListWalk: numEntry=1 Size=255 2020-12-29 20:25:48 admd admLdapSessFSM: state=0, secDiff=0 2020-12-29 20:25:48 admd admLdapSessFSM: Drop on default, do nothing. 2020-12-29 20:25:48 admd --Success on del sess for authRqstId=65584(0x10030) 2020-12-29 20:25:48 admd admLdapSessReleaseResource:ldap_unbind() connHdl=0x100af240
System Status > Diagnostics > Network > Ping shows 100 % packet loss to the AD server.
I've rebuilt the VPN between the AWS and firebox with no result, although I don't think that's the issue as the computers are able to authenticate normally. I feel like it's a routing or policy issue on the Firebox, but I've not changed any of that (aside from rebuilding with the correct new WAN IP address) from when it was working.
Another thought I had was the firebox is using one of the other interface IP addresses (instead of eth1) to initiate communications with the AWS resources. Because it's using the wrong IP, there is no routes or security groups in AWS to allow the IP that it's using. I'm not sure how to test / fix that theory if it's correct.
Thank you for your assistance.