Reason 433

Answered Question
Oct 23rd, 2009

Hi guys,

I have a problem about VPN connection on FW. The VPN client receives a message that sais: " Secure VPN Connection terminated by peer Reason 433: (reason not specified by peer)".

Could anyone help me?

Thank you very much.

Best Regards,

Giuseppe

I have this problem too.
0 votes
Correct Answer by Jatin Katyal about 7 years 1 month ago

Hi,

Most of the times we see this error message when client is unable to get an ip address from the firewall/DHCP/external AAA server.

Please check if you have address-pool defined under the tunnel-group or group-policy.

In order to define address-pool, please visit the below listed doc:

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnadd.html

If the above suggestion doesn't work for you. Please provide us with current configuration, and following debugs,

debug crypto isa 127

debug crypto ipsec 127

debug aaa authentication

debug aaa common 127

HTH

JK

Plz rate the helpful posts-

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jatin Katyal Fri, 10/23/2009 - 06:13

Hi,

Most of the times we see this error message when client is unable to get an ip address from the firewall/DHCP/external AAA server.

Please check if you have address-pool defined under the tunnel-group or group-policy.

In order to define address-pool, please visit the below listed doc:

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnadd.html

If the above suggestion doesn't work for you. Please provide us with current configuration, and following debugs,

debug crypto isa 127

debug crypto ipsec 127

debug aaa authentication

debug aaa common 127

HTH

JK

Plz rate the helpful posts-

gpangallo Mon, 10/26/2009 - 04:25

Hi JK,

thank you for your answer. I have another doubt because viewing the FW configuration I noticed that there isn't configured the vpn-addr-assign command but the vpn group is defined in "tunnel-group mygroup general-attributes" and moreover there is also the authentication toward the Radius server with the command "authentication-server-group myradius" .

Maybe could it be this misconfiguration?

It could be the user credentials corruption on Radius Server,isn't it?

Let me know, please.

Best regards,

Giuseppe

Gareth Gudger Thu, 01/23/2014 - 06:42

In my particular case it was all my users were getting error 433. It turned out to be the AAA authentication server settings on the firewall. I was authenticating against a Microsoft LDAP server. I think the Logon DN path had some characters Cisco couldn't comprehend. Here is how I fixed it.

http://supertekboy.com/2014/01/23/cisco-vpn-reason-433-reason-not-specified-by-peer/

Actions

This Discussion