VPN concentrator to ASA migration - auth. issue

Answered Question
Jun 10th, 2008

Hi All,

I am in the process of migrating the remote access VPN (IPSec) from VPN 3020 to ASA. Local authentication works fine. If I add IAS radius servers for authentication, then I get the following error message

Secure VPN connection terminated by Peer.

Reason 433: (Reason Not Specified by Peer)

Packet capture shows IAS server returning "access-reject". IAS server is configured the same way as the VPN 3020.

I am running 8.0(0) code on the ASA. Any idea what is causing it?

I have this problem too.
0 votes
Correct Answer by massimiliano.se... about 8 years 6 months ago

Hi,

Did you specified the shared secret between asa and IAS?

Did you specified in RADIUS server that ASA is allowed to send queries? In other word did you specified that ASA is a valid NAS?

This link may be useful: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

I hope this helps.

Best regards.

Massimiliano.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
massimiliano.se... Tue, 06/10/2008 - 21:06

Hi,

Did you specified the shared secret between asa and IAS?

Did you specified in RADIUS server that ASA is allowed to send queries? In other word did you specified that ASA is a valid NAS?

This link may be useful: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

I hope this helps.

Best regards.

Massimiliano.

dcarlton Wed, 06/11/2008 - 03:28

The 3030 always sent the domain by default but the ASA does not send it unless the user enters it. Check the System event log on the IAS server and look at the fully-qualified-user-name entry and make sure the domain is correct.

Can you paste the entire System event entry for a user that's being rejected?

mchockalingam Wed, 06/11/2008 - 19:05

Problem solved!

It was the shared secret key after all. I went back to the IAS server guy and asked him to confirm the shared secret and I was using 'l' instead of '1' (one). I entered the correct key and it started working.

Thanks for all the suggestions.

Actions

This Discussion