ASA 5540 Not Authenticating

Answered Question
Jan 22nd, 2009

Our ASA 5540 has just started to deny all inbound connections for VPN with the following messages:

106023 Deny udp src dmz:...

713048 Error processing payload:

713048 Sending IKE Delete No Reason Prvd

713902 Removing peer from peer tabl fld

713903 Error. Unable to Remove Peer

Upon connection regardless of user when username and password are entered the fields immediately clear and no login occurs.

I have this problem too.
0 votes
Correct Answer by Ivan Martinon about 8 years 3 days ago

Go figure.... it usually ends on a human mistake :P

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ivan Martinon Thu, 01/22/2009 - 10:59

Can you post here the next debugs "debug crypto isakmp 50"? To check whether authentication is the issue, you can go ahead and issue a test command on the asa for your authentication "test aaa authentication " type in the username and password and see if it fails or passes.

wdhowellsr Thu, 01/22/2009 - 11:08

Will do. Just a side point is that the asa time was actually two hours off of the accurate time. It was reset to the current time but authentication still did not work. I'm getting the debus now and will post them.

wdhowellsr Thu, 01/22/2009 - 11:49

Actually the good news is that we can access the asa directly but apparently the connection between the asa and the active directory server is not working. When we tested authentication it says the server is unavailable.

Ivan Martinon Thu, 01/22/2009 - 11:53

OK, what is the authentication protocol in use? Can he ASA reach it via ping?

wdhowellsr Thu, 01/22/2009 - 12:37

We can ping the AD server from ASA. The client is using UDP, the AD Group is using RADIUS but when authenticating from within asa authentication server is unavailable.

Ivan Martinon Thu, 01/22/2009 - 13:29

So the protocol that you are using to communicate the ASA to the AD is radius, assuming via AIS, what do you see on the Event Viewer of your server?

Ivan Martinon Thu, 01/22/2009 - 13:40

Sorry Typo, I meant IAS, do you see the authentication request on the server? run a debug radius all on the asa with the test, do you see any error there?

wdhowellsr Thu, 01/22/2009 - 15:38

Your going to love this. First I'm actually a contract programmer analyst developing a web reporting module for an insurance company. Second the IT department is limited and they ask my help ocassionaly.

Now for the good part.

The problem first started happening on Saturday afternoon. Obviously something changed at that point.

wait for it..

..

..

..

The Manager of IT decided to set the IAS server to dynamic IP and use the static IP on another server.

That ones a keeper.

wdhowellsr Tue, 01/27/2009 - 09:23

The pointy haired boss strikes again. GRR!

He changed the IAS server to a new static IP on a different subnet and updated DNS to point to the new IP.

Even when the ASA is configured to point to the IP of the IAS server it fails authentication even though it can being pinged.

I have a gut feeling that there is DNS corruption somewhere and that while the ASA can ping the server IP it fails on authentication due to incorrect name resolution.

My simple question is if there is a way to hardcode server name, ip and subnet mask in the ASA so that no matter what he screws up on the network as long as we keep the IAS and ASA configured properly it would work.

P.S.

This is why I got out of network engineering.

wdhowellsr Tue, 01/27/2009 - 14:49

Just a heads up. If you mess around with the DNS and IP addressees to much just remember to clear out your DNS cache and tables on your ASA.

Problem Solved,

wdhowellsr Thu, 01/22/2009 - 15:50

Your going to love this. First I'm actually a contract programmer analyst developing a web reporting module for an insurance company. Second the IT department is limited and they ask my help ocassionaly.

Now for the good part.

The problem first started happening on Saturday afternoon. Obviously something changed at that point.

wait for it..

..

..

..

The Manager of IT decided to set the IAS server to dynamic IP and use the static IP on another server.

That ones a keeper.

Actions

This Discussion