06-18-2007 12:51 PM - edited 03-10-2019 03:13 PM
folks
i have a vpn client terminating on my 3030 but i pass the authentication onto a 3rd party radius server
i can see the client connecting and being allocated an IP but then things fail - i suspect there are problems connecting or authenticating with the 3rd party radius
i get the following messages on the 3030
13425 06/18/2007 11:47:22.060 SEV=5 IKEDBG/64 RPT=72 192.168.203.13
IKE Peer included IKE fragmentation capability flags:
Main Mode: True
Aggressive Mode: False
13446 06/18/2007 11:48:06.180 SEV=4 AUTH/15 RPT=89
Server name = 10.14.1.160, type = RADIUS,
group = roamDEL, status = Not-in-service
13448 06/18/2007 11:48:09.380 SEV=3 AUTH/5 RPT=14 192.168.203.13
Authentication rejected: Reason = Unspecified
handle = 714, server = 145.229.158.69, user = deladmin, domain = <not specified>
13450 06/18/2007 11:48:17.860 SEV=4 AUTH/15 RPT=90
Server name = 10.14.1.160, type = RADIUS,
group = roamDEL, status = Active
13451 06/18/2007 11:49:54.410 SEV=4 IKE/48 RPT=24 192.168.203.13
Group [roamDEL] User [deladmin]
Error processing payload: Payload ID: 14
13452 06/18/2007 11:49:54.420 SEV=5 IKE/194 RPT=301 192.168.203.13
Group [roamDEL] User [deladmin]
Sending IKE Delete With Reason message: No Reason Provided.
13454 06/18/2007 11:49:54.420 SEV=5 IP/43 RPT=335
Deleting TCP entry for device 192.168.203.13 on port 1484
13455 06/18/2007 12:04:36.290 SEV=5 IP/49 RPT=354
Headend transmitting TCP SYN-ACK pkt to client 192.168.203.13, TCP dest port 1765
anyone any ideas how i can troubleshoot this on the 3030 - i'll try a packet sniffer and look for both inbound and ooutbound from the ACS box but i'm interested in any comments
thanks for anyone taking the time to reply
06-18-2007 01:16 PM
Michael
My attention is drawn to these 2 messages in the log:
13446 06/18/2007 11:48:06.180 SEV=4 AUTH/15 RPT=89
Server name = 10.14.1.160, type = RADIUS,
group = roamDEL, status = Not-in-service
and
13450 06/18/2007 11:48:17.860 SEV=4 AUTH/15 RPT=90
Server name = 10.14.1.160, type = RADIUS,
group = roamDEL, status = Active
It would seem to indicate an issue with the Radius server but it is not clear from this whether the issue is between your concentrator and the Radius server or if it is between the client and the Radius server. Are there other clients that connect to this concentrator and authenticate with that Radius server? If so do they work? Is the problem isolated to this client or are other clients similarly impacted?
I would suggest getting in touch with the administrators of the Radius server and asking their assistance in resolving this, beginning with whether they are seeing error messages in their logs that correspond to this attempt to authenticate.
HTH
Rick
06-18-2007 01:22 PM
rick
many thanks for your response
there are other vpns working on the same concentrator from the same source lan - but this one is different as it uses a 3rd party radius server
we've already mailed the third party and are waiting for a response
many thanks again
06-18-2007 01:36 PM
Michael
It seems to me that I have seen symptoms similar to this when the node secret got out of synch between the concentrator and the Radius server. It might be worthwhile requesting that the administrator of the Radius server clear the node secret (generate a new node secret for your machine) and for you to delete the file from your concentrator and have it relearn the node secret.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide