Hi, hopefully I'm posting this in the right place and give the illusion that I have some idea of what I'm talking about. If not, I apologize and would appreciate any relevant input.
My problem is that after properly authenticating to ACS/RSA, VPN users receive a proper IP address from their respective group's IP Pool, however the ACS seems to forget that the IP address had been assigned after a while so, for example, it shows 0 IP address assigned when the firewall is reporting that there are 4 active connections. What will inevitably happen is someone will end up getting assigned an IP previously assigned to an already existing connection, causing 0 connectivity across the network for the VPN user.
I presume this is a failure of communication between the firewall and ACS in terms of which connections are still alived and what IPs should be available.
Does anyone have any experience/knowledge with this issue or perhaps can clue me in to the mechanics of how the ACS and firewall interact in terms of active connection information?
Thanks in advance.
Thank you for the response. It is currently set for 2 hours, but I guess I'm confused as to some of the terminology in regards to it releasing IP addresses not in use.
For example, if there is a valid VPN connection for 4 hours, it seems that the ACS will recover the IP after 2 hours, so does that mean 2 hours in, the IP will get re-assigned regardless? Or is there supposed to be some mechanism in place that says the connection is still valid so the IP is kept assigned beyond the 2 hour period?
I dont think there is some mechanism if ACS is providing the ip address to client but yes you can adjust the realease time. I would suggest you to make time to 5-6 hrs which we have configured in our Data center the time is so large is the fact is user cannot work for more than contnous for 5 to 6 hrs if at all then connection will break and once agin he will be assigned with new ip address once user connects.It wont be problem in normal network.
Hope to help
If helpful do rate