01-26-2009 12:45 PM
Hi guys!
I'm running ASA 8.0(4) code and trying to do NAC Framework on it to posture my VPN clients. However, anytime client "VPNs" in, it gets "clientless". Here is the log snip:
%ASA-6-335001: NAC session initialized - 10.1.149.1.
%ASA-5-335003: NAC Default ACL applied, ACL:aclNACDefault - 10.1.149.1.
%ASA-6-334001: EAPoUDP association initiated - 10.1.149.1.
%ASA-5-334006: EAPoUDP failed to get a response from host - 10.1.149.1.
%ASA-6-334004: Authentication request for NAC Clientless host - 10.1.149.1.
%ASA-5-335003: NAC Default ACL applied, ACL:aclNACDefault - 10.1.149.1.
%ASA-5-334005: Host put into NAC Hold state - 10.1.149.1.
%ASA-6-334007: EAPoUDP association terminated - 10.1.149.1.
CTA is running and it's 2.1.103. Personal FW is off and CTA is working fine with the switch as a NAD.
02-02-2009 02:00 PM
You may want to do a sanity check on whether or not ASA is sourcing the EoU traffic from the correct interface.
Does a packet capture on the client then clear eou on the ASA. Make sure EoU traffic is sourced from the ASA's.
02-04-2009 06:36 AM
Thanx mchin345,
I did the packet capture and only caught two packets, both sourced from my physical LAN adapter's IP, port UDP/21862, and with destionation ASA's outside interface, port UDP/1024. There were no reply cought, though.
Isn't this odd? I would expect this to be sourced from ASA's port greater than 1024 and destination to be UDP/21862. At least that. Aside the fact that communication is going "outside" the tunnel, which is not possible, when the tunnel is up.
I did the capture using my laptop and wireshark.
Am I mistaking on this?
Regs,
Sasa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide