VPN Problem !

Unanswered Question
Jan 13th, 2009
User Badges:


I ve configured an ASA to act as a vpn server.

The clents from Microsoft windows Xp use vpn connection and they can connect but after the concurrent remote vpn become 6 or 7 no one else can connect to the ASA until someone disconnect !!!!

I also use vpn concurrent session command and set it value to 5000.

The problem is when they try to connect they get this message ,"Server did not assign address" , also iv checked my Ip pool and i have enough ip in my pool.

Please someone help me.

The best answer will get high Rate.

Best Regards B.Mozaffari

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Tue, 01/13/2009 - 09:20
User Badges:
  • Cisco Employee,

Thanks, I don't see a pool configured globally neither defined to the tunnel group or group policy, either it was removed by mistake or the clients are getting an ip address via the authentication server, can you confirm either of them?

mrmozaffari Tue, 01/13/2009 - 09:22
User Badges:

They get their ip addresses from Authentication server.

Ivan Martinon Tue, 01/13/2009 - 09:49
User Badges:
  • Cisco Employee,

OK, I would go ahead and enable debug radius all on your ASA to check if the Framed-IP-Address attribute is sent back from the ACS when the user is trying to connect, I will also check if the user is assigned to the correct group where this pools is assigned, also one good tip is to enable accounting since when using pools with an authentication server the asa might think ip addresses are not released therefore causing it not to allocate a previously freed ip addres

mrmozaffari Tue, 01/13/2009 - 11:45
User Badges:

Take a look at configuration please,Accounting has been configured Already.

Ivan Martinon Tue, 01/13/2009 - 11:57
User Badges:
  • Cisco Employee,

What did you get with the debugs? your config looks good nothing from it states it should not assign the ip address.

mrmozaffari Tue, 01/13/2009 - 12:18
User Badges:

I really dont know !!!!

until 6 remote client everything is OK !

but then !!!!!!!!!!!

Ivan Martinon Tue, 01/13/2009 - 12:56
User Badges:
  • Cisco Employee,

Ok, in order to find if the issue is the ACS or the ASA, you need to enable those debugs "debug radius all" right after the 7th client is about to connect after you got them you can analyze them or post them here.


This Discussion