VPN drops for users sharing IP

Unanswered Question
Dec 9th, 2008

Is there something in the ASA that would prevent multiple users to connecting to a vpn..

scenario...we a company that uses

the cisco vpn client to use some of our network resources..They authenticate against AD

However 1 user will be stable..but than the more users that sign on from that company will expereince vpn drops.

This issue is not happening with any other remote users. Everyone is under the same group policy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Tue, 12/09/2008 - 14:57

Seems really weird. Do they pull an address from a VPN pool? Are they using the same account to connect? You can have a limited user account login, meaning that a user can be restricted to having 3 simultaneous logins and 3 people can be connected using the same login.

Can you post the group policy and your tunnel policy for these users?

HTH,

John

nygenxny123 Tue, 12/09/2008 - 18:57

yes..there is a dhcp pool configured on the ASA..could that be it?..only 3 simultaneous?

They are all part of the A group

group-policy AHattributes

banner value You are accessing the networko

wins-server value 192.168.0.93 192.168.9.5

dns-server value 192.168.0.93 192.168.9.5

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value A_splitTunnelAcl

default-domain value A-USA

tunnel-group general-attributes

address-pool A-Pool

authentication-server-group A-Domain

default-group-policy A

tunnel-group A ipsec-attributes

pre-shared-key *

tunnel-group Diamluster type remote-access

tunnel-group Diamuster general-attributes

address-pool A-Pool

authentication-server-group A-Domain

default-group-policy Diamonster

tunnel-group Dialuster ipsec-attributes

pre-shared-key *

ddawson Wed, 12/10/2008 - 14:53

This sounds like it could be a NAT issue with the device at that remote site. I suggest you configure "isakmp nat-traversal 20" in your ASA and see if that helps. This will enable UDP encapsulation of the ESP traffic (e.g. the encryted data), which should help prevent issues with having multiple users behind a device performing PAT.

eriklozano Thu, 02/05/2009 - 11:12

Hopefully someone can help with a similar issue I'm having with a PIX-515e firewall; software version 6.3.4, pdm version 3.0.2.

We're getting constant vpn termination errors (reason 412 and 413) from a group of users at one location. I am by no means a pix guru, but I've verified that nat-t is configured. I can't figure out how to determine if there is a group policy set. I'd be happy to post or email the current config if that will help - it's about 150 lines long.

Actions

This Discussion