Skip to main content

 

 

Cisco Defense Orchestrator

Troubleshoot FTD (Using Duo LDAP) RA VPN Connection

The primary authentication fails when the user attempts to connect to FTD headend through AnyConnect.

Syslog Message

AAA user authentication Rejected : reason = AAA failure : server = xx.xx.x.xx : user = ***** : user IP = xx.xx.x.xx

Cause

The user name and password may be incorrect. 

Resolution

Provide the correct user name and password and try again.

Syslog Message

Routing failed to locate next hop for TCP from XXXXX to XXXXX

AAA authentication server not accessible : server =  xx.xx.xx.xx : user = *****

Cause

Duo server is not reachable from the FTD device.

Resolution
  1. In CDO, edit the Duo LDAP object and manually choose the interface that is used to connect to the Duo server. 
  2. Deploy the configuration to FTD and try to log in again.

Syslog Message

Certificate validation failed. serial number: XXX, subject name: XXX.

Certificate chain failed validation. Generic validation failure occurred.

AAA authentication server not accessible.

Cause

A suitable Trustpoint was not found to validate the certificate produced by Duo. 

Resolution

You must Upload a Trusted CA Certificate to FTD Using FDM. 

If the certificate is installed already, perform the following steps to validate whether the certificate is installed correctly:

  1. On the Devices & Service menu, select the FTD device and in the Device Actions on the right, click Command Line Interface. See Using the CDO Command Line Interface.
  2. Run show crypto ca certificates.

Syslog Message

AAA user authentication Rejected : reason = Invalid password : server = xx.xx.xx.xx : user = **** : user IP = yy.yy.yy.yy

Cause
  • The user account may not be present in Duo.
  • The user is present in Duo, but not present in “Permitted Groups” in the application.
Resolution
  1. Enroll users in Duo. See https://duo.com/docs/enrolling-users for instructions. 
  2. Assign the user group to "Permitted Groups" to perform authentication for the Cisco Firepower Threat Defense VPN application in Duo. See https://duo.com/docs/protecting-applications#permitted-groups for instructions.
  • Was this article helpful?