ASA Cut Through Prox & Dynamic Access Policies

millworx

Howdy Howdy everyone. Don't know where to stick this question. But heres my situation.

I setup cut through proxy / dynamic access policies on my ASA and it authenticates based on AD group names. Everything was working great. So I decided to write erase the firewall and do it again.

Second time around its very slow, when I enter my credentials on the authentication page it takes 10-12 seconds to authenticate! Sometimes its fast, but most of the time its slow. So I thought maybe it was something with the config. So I restored from the backup I made when it was working fine, and yet it still has a delay of 10-12 seconds.

So I am a little befuddled. Any thoughts?

Bl8ckr0uter

Is time on the DC and ASA synced up?

millworx

yeah, we are using the same NTP server for the DC and the ASA.

I learned that lesson the hard way when I was trying to get some VMs on one of my esx hosts to join the domain and it wouldn't because i left of the NTP settings. lol.

So we are good with clock synchronization.

Also too, I did wipe the dap.xml file from the disk0 prior to wiping the config. So it should be completely clean.

Also too form the CLI of the ASA if I run:
test aaa authentication MS-AD host ds.xxxx.com username jason password *****
it returns INFO: Authentication Successful almost immediately. So it seems ASA related.

Bl8ckr0uter

Is it using gp to pull dhcp information or something? I seem to remember that being an option. Anything in the logs?

millworx

No GPs on this firewall. I'm separating users into GPs on another firewall using ssl vpn, so they land into their correct virtual desktop. Then from the virtual desktop they hit this firewall using DAP. Nothing quirky in the logs. I'm going to keep digging.