3030 VPN concentrator

mulhollandm · ‎06-18-2007

folks

i have a vpn client terminating on my 3030 but i pass the authentication onto a 3rd party radius server

i can see the client connecting and being allocated an IP but then things fail - i suspect there are problems connecting or authenticating with the 3rd party radius

i get the following messages on the 3030

13425 06/18/2007 11:47:22.060 SEV=5 IKEDBG/64 RPT=72 192.168.203.13

IKE Peer included IKE fragmentation capability flags:

Main Mode: True

Aggressive Mode: False

13446 06/18/2007 11:48:06.180 SEV=4 AUTH/15 RPT=89

Server name = 10.14.1.160, type = RADIUS,

group = roamDEL, status = Not-in-service

13448 06/18/2007 11:48:09.380 SEV=3 AUTH/5 RPT=14 192.168.203.13

Authentication rejected: Reason = Unspecified

handle = 714, server = 145.229.158.69, user = deladmin, domain = <not specified>

13450 06/18/2007 11:48:17.860 SEV=4 AUTH/15 RPT=90

Server name = 10.14.1.160, type = RADIUS,

group = roamDEL, status = Active

13451 06/18/2007 11:49:54.410 SEV=4 IKE/48 RPT=24 192.168.203.13

Group [roamDEL] User [deladmin]

Error processing payload: Payload ID: 14

13452 06/18/2007 11:49:54.420 SEV=5 IKE/194 RPT=301 192.168.203.13

Group [roamDEL] User [deladmin]

Sending IKE Delete With Reason message: No Reason Provided.

13454 06/18/2007 11:49:54.420 SEV=5 IP/43 RPT=335

Deleting TCP entry for device 192.168.203.13 on port 1484

13455 06/18/2007 12:04:36.290 SEV=5 IP/49 RPT=354

Headend transmitting TCP SYN-ACK pkt to client 192.168.203.13, TCP dest port 1765

anyone any ideas how i can troubleshoot this on the 3030 - i'll try a packet sniffer and look for both inbound and ooutbound from the ACS box but i'm interested in any comments

thanks for anyone taking the time to reply

Richard Burts · ‎06-18-2007

Michael

My attention is drawn to these 2 messages in the log:

13446 06/18/2007 11:48:06.180 SEV=4 AUTH/15 RPT=89

Server name = 10.14.1.160, type = RADIUS,

group = roamDEL, status = Not-in-service

and

13450 06/18/2007 11:48:17.860 SEV=4 AUTH/15 RPT=90

Server name = 10.14.1.160, type = RADIUS,

group = roamDEL, status = Active

It would seem to indicate an issue with the Radius server but it is not clear from this whether the issue is between your concentrator and the Radius server or if it is between the client and the Radius server. Are there other clients that connect to this concentrator and authenticate with that Radius server? If so do they work? Is the problem isolated to this client or are other clients similarly impacted?

I would suggest getting in touch with the administrators of the Radius server and asking their assistance in resolving this, beginning with whether they are seeing error messages in their logs that correspond to this attempt to authenticate.

HTH

Rick

HTH

Rick

mulhollandm · ‎06-18-2007

rick

many thanks for your response

there are other vpns working on the same concentrator from the same source lan - but this one is different as it uses a 3rd party radius server

we've already mailed the third party and are waiting for a response

many thanks again

Richard Burts · ‎06-18-2007

Michael

It seems to me that I have seen symptoms similar to this when the node secret got out of synch between the concentrator and the Radius server. It might be worthwhile requesting that the administrator of the Radius server clear the node secret (generate a new node secret for your machine) and for you to delete the file from your concentrator and have it relearn the node secret.

HTH

Rick

HTH

Rick