NEED help from Experts of CISCO

Faizan Khursheed · ‎07-30-2009

i have configured remote access VPN for my client on ASA version 7.0.they can able to remotely login on it but with one name only 2 simulateneosuly connection established but not more than that .when 3 person want to access with same name it's not allow to do it

what will be the reason how can i get out of this pathteic problem.i havent find any viable material .Need your help

richard.jones · ‎07-30-2009

This link may help you:

http://supportwiki.cisco.com/ViewWiki/index.php/Unable_to_connect_more_than_three_VPN_client_users_to_PIX/ASA_and_the_Secure_VPN_Connection_terminated_locally_by_the_client._Reason_413_User_Authentication_failed_error_message_appears

Faizan Khursheed · ‎07-31-2009

thanks for your help i m actually facing other multiple users with same name can connect themself simultaneously

but not abble to ping split tunnel IP's

which i allowed in my configuration

if just one user connect he able to access all the IP

but multiple user with same name simultaneoulsy not able to ping

why and how can i solve this problem

waiting for your reply

kwillacey · ‎07-31-2009

post config

Faizan Khursheed · ‎07-31-2009

i m pasting selected configuration which necessary for Remote access VPN

access-list DMZ-DB-nonat extended permit ip 172.20.18.0 255.255.255.0 9.1.1.0 255.255.255.0

access-list RABRANCH standard permit host 172.20.18.12

access-list RADataBase standard permit host 172.20.18.12

access-list RADataBase standard permit host 172.20.17.12

access-list RADataBase standard permit host 172.20.17.11

access-list RAAdmin standard permit host 172.20.17.15

access-list RAAdmin standard permit host 172.20.17.12

access-list RAAdmin standard permit host 172.20.17.11

access-list RAAdmin standard permit host 172.20.17.17

access-list RAAdmin standard permit host 172.20.17.26

access-list RAAdmin standard permit host 172.20.17.27

access-list RAAdmin standard permit host 172.20.17.28

access-list RAAdmin standard permit host 172.20.17.31

access-list RAAdmin standard permit host 172.20.17.32

access-list RAAdmin standard permit host 172.20.18.12

access-list RAAdmin standard permit host 172.20.18.17

access-list RAAdmin standard permit host 172.20.18.18

access-list RAAdmin standard permit host 172.20.18.19

access-list RAAdmin standard permit host 172.20.18.20

access-list RAAdmin standard permit host 172.20.18.50

access-list RAAdmin standard permit host 172.20.18.100

access-list RAAdmin standard permit host 172.20.17.52

access-list DMZ-APP-nonat extended permit ip 172.20.17.0 255.255.255.0 9.1.1.0 255.255.255.0

ip local pool VPNPOOL 9.1.1.0-9.1.1.100 mask 255.255.255.0

nat (DMZ-DB) 0 access-list DMZ-DB-nonat

nat (DMZ-APP) 0 access-list DMZ-APP-nonat

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set DIBRA esp-3des esp-md5-hmac

crypto dynamic-map dyn1 1 set transform-set DIBRA

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 3600

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 172.20.3.0 255.255.255.0 inside

telnet 172.20.200.0 255.255.255.0 insideadmin

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

group-policy BRANCH internal

group-policy BRANCH attributes

dns-server value 172.20.10.100

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RABRANCH

group-policy DataBase internal

group-policy DataBase attributes

dns-server value 172.20.10.100

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RADataBase

group-policy Admin internal

group-policy Admin attributes

dns-server value 172.20.10.100

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RAAdmin

username SADBAS password EAsVs94WRKBssa/R encrypted

username SADBAS attributes

vpn-group-policy DataBase

username Admin password diNnsTo5dthlcLs5 encrypted

username Admin attributes

vpn-group-policy Admin

username BUSER password /Xu0va7mHdNk9tXI encrypted

username BUSER attributes

vpn-group-policy BRANCH

tunnel-group BRANCH type remote-access

tunnel-group BRANCH general-attributes

address-pool VPNPOOL

default-group-policy BRANCH

tunnel-group BRANCH ipsec-attributes

pre-shared-key *

tunnel-group DataBase type remote-access

tunnel-group DataBase general-attributes

address-pool VPNPOOL

tunnel-group DataBase ipsec-attributes

pre-shared-key *

tunnel-group Admin type remote-access

tunnel-group Admin general-attributes

address-pool VPNPOOL

tunnel-group Admin ipsec-attributes

pre-shared-key *

keith.barker · ‎08-01-2009

Do a show version, and verify how many VPNs are supported.

When you are having your VPN users log in, are they using the SAME account? If so, you may have a limit on simultaneous logins, and that would also explain why the 3rd person can not log in.

Best wishes,

Keith.

Faizan Khursheed · ‎08-01-2009

ok i will see it . Problem is that i use

vpn-simultaneous-login command in group-policy attribute it able multiple users to login simultaneously with Same name

bu then they cant ping any IP which i allow on my Split tunnel

while when 1 user connected it able to access all the server which i allow in my split tunnel

what is the reason and then how can resolve this issue

thanks in advance

Faizan Khursheed · ‎08-02-2009

Cisco Adaptive Security Appliance Software Version 7.0(7)

Compiled on Fri 06-Jul-07 10:37 by builders

System image file is "disk0:/asa707-k8.bin"

Config file at boot was "startup-config"

ASA-Primary up 136 days 5 hours

failover cluster up 136 days 5 hours

Hardware: ASA5540-K8, 1024 MB RAM, CPU Pentium 4 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0 : address is 0018.b91b.6042, irq 9

1: Ext: GigabitEthernet0/1 : address is 0018.b91b.6043, irq 9

2: Ext: GigabitEthernet0/2 : address is 0018.b91b.6044, irq 9

3: Ext: GigabitEthernet0/3 : address is 0018.b91b.6045, irq 9

4: Ext: Management0/0 : address is 0018.b91b.6041, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 200

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 5000

This platform has an ASA 5540 VPN Premium license.

this is the show version of my firewall

i shall be very thankful to u if you people helping me in resolving issue

with same name 6 user simualtaneously login but not able to ping any server which i allowed in my split tunnneled

whereas whn 1 user get connected he able to access all the servre how can i resolve this issue

plz guided if it is not possible then providing me Cisco documentation .i will present this infront of my client

kwillacey · ‎08-03-2009

you don't seem to have nat traversal enabled enable it with "crypto isakmp nat-traversal 3600". Try that and see if it works.

Faizan Khursheed · ‎08-03-2009

thanks for your support problem has ben sort it out

many thanks to all of u