I've successfully setup ASA5510 + VPN client + Local author+authen, checked if VPN tunnel is established and it was. Then I followed http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml to setup Kerberos authentication + LDAP authorization, I checked the time settings and Preauthorization in AD for the test vpn user, then I tested both functions. It worked.
However, when I try to establish VPN connection using the very same username as when I test from ASDM, I get the following output in the Real Time Log Viewer
4|Jan 19 2009|17:36:11|713903|||||Group = DefaultRAGroup, IP = 126.96.36.199, Information Exchange processing failed
4|Jan 19 2009|17:36:01|113019|||||Group = DefaultRAGroup, Username = , IP = 188.8.131.52, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:02s, Bytes xmt: 800, Bytes rcv: 1098, Reason: L2TP initiated
6|Jan 19 2009|17:36:01|602304|||||IPSEC: An outbound remote access SA (SPI= 0x0F05B74A) between 184.108.40.206 and 220.127.116.11 (user= DefaultRAGroup) has been deleted.
6|Jan 19 2009|17:36:01|602304|||||IPSEC: An inbound remote access SA (SPI= 0xCCD70173) between 18.104.22.168 and 22.214.171.124 (user= DefaultRAGroup) has been deleted.
6|Jan 19 2009|17:36:01|603107|||||L2TP Tunnel deleted, tunnel_id = 82, remote_peer_ip = 126.96.36.199
6|Jan 19 2009|17:36:01|603106|||||L2TP Tunnel created, tunnel_id is 82, remote_peer_ip is 188.8.131.52
4|Jan 19 2009|17:36:01|737013|||||IPAA: Error freeing address 0.0.0.0, not found
6|Jan 19 2009|17:36:01|113005|||||AAA user authentication Rejected : reason = Unspecified : server = 192.168.91.25 : user = vpnclient
6|Jan 19 2009|17:36:00|302015|192.168.91.25|88|192.168.91.11|61682|Built outbound UDP connection 842 for inside:192.168.91.25/88 (192.168.91.25/88) to identity:192.168.91.11/61682 (192.168.91.11/61682)
6|Jan 19 2009|17:36:00|302015|184.108.40.206|1753|220.127.116.11|1701|Built inbound UDP connection 841 for outside:18.104.22.168/1753 (22.214.171.124/1753) to identity:126.96.36.199/1701 (188.8.131.52/1701)
5|Jan 19 2009|17:35:59|713120|||||Group = DefaultRAGroup, IP = 184.108.40.206, PHASE 2 COMPLETED (msgid=d365e0c5)
6|Jan 19 2009|17:35:59|602303|||||IPSEC: An inbound remote access SA (SPI= 0xCCD70173) between 220.127.116.11 and 18.104.22.168 (user= DefaultRAGroup) has been created.
5|Jan 19 2009|17:35:59|713049|||||Group = DefaultRAGroup, IP = 22.214.171.124, Security negotiation complete for User () Responder, Inbound SPI = 0xccd70173, Outbound SPI = 0x0f05b74a
6|Jan 19 2009|17:35:59|602303|||||IPSEC: An outbound remote access SA (SPI= 0x0F05B74A) between 126.96.36.199 and 188.8.131.52 (user= DefaultRAGroup) has been created.
6|Jan 19 2009|17:35:59|713177|||||Group = DefaultRAGroup, IP = 184.108.40.206, Received remote Proxy Host FQDN in ID Payload: Host Name: ws-nsk02.compumark.lexmark.ru Address 220.127.116.11, Protocol 17, Port 1701
5|Jan 19 2009|17:35:59|713119|||||Group = DefaultRAGroup, IP = 18.104.22.168, PHASE 1 COMPLETED
6|Jan 19 2009|17:35:59|113009|||||AAA retrieved default group policy (DefaultRAGroup) for user = DefaultRAGroup
4|Jan 19 2009|17:35:59|713903|||||Group = DefaultRAGroup, IP = 22.214.171.124, Freeing previously allocated memory for authorization-dn-attributes
6|Jan 19 2009|17:35:59|713172|||||Group = DefaultRAGroup, IP = 126.96.36.199, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
If I switch back to local authentication and authorization VPN clients get connected without any problem.
Why is the reason unspecified and what else should I check?