ACS Appears to Forget IPs Assigned to VPN Connections

Answered Question
Feb 1st, 2010
User Badges:

Hi, hopefully I'm posting this in the right place and give the illusion that I have some idea of what I'm talking about. If not, I apologize and would appreciate any relevant input.


My problem is that after properly authenticating to ACS/RSA, VPN users receive a proper IP address from their respective group's IP Pool, however the ACS seems to forget that the IP address had been assigned after a while so, for example, it shows 0 IP address assigned when the firewall is reporting that there are 4 active connections. What will inevitably happen is someone will end up getting assigned an IP previously assigned to an already existing connection, causing 0 connectivity across the network for the VPN user.


I presume this is a failure of communication between the firewall and ACS in terms of which connections are still alived and what IPs should be available.


Does anyone have any experience/knowledge with this issue or perhaps can clue me in to the mechanics of how the ACS and firewall interact in terms of active connection information?


Thanks in advance.

Correct Answer by Ganesh Hariharan about 7 years 1 month ago

Thank you for the response. It is currently set for 2 hours, but I guess I'm confused as to some of the terminology in regards to it releasing IP addresses not in use.


For example, if there is a valid VPN connection for 4 hours, it seems that the ACS will recover the IP after 2 hours, so does that mean 2 hours in, the IP will get re-assigned regardless? Or is there supposed to be some mechanism in place that says the connection is still valid so the IP is kept assigned beyond the 2 hour period?


Thanks again.


Hi,


I dont think there is some mechanism if ACS is providing the ip address to client but yes you can adjust the realease time. I would suggest you to make time to 5-6 hrs which we have configured in our Data center the time is so large is the fact is user cannot work for more than contnous for 5 to 6 hrs if at all then connection will break and once agin he will be assigned with new ip address once user connects.It wont be problem in normal network.


Hope to help


If helpful do rate


Ganesh.H

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ganesh Hariharan Mon, 02/01/2010 - 22:59
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi, hopefully I'm posting this in the right place and give the illusion that I have some idea of what I'm talking about. If not, I apologize and would appreciate any relevant input.


My problem is that after properly authenticating to ACS/RSA, VPN users receive a proper IP address from their respective group's IP Pool, however the ACS seems to forget that the IP address had been assigned after a while so, for example, it shows 0 IP address assigned when the firewall is reporting that there are 4 active connections. What will inevitably happen is someone will end up getting assigned an IP previously assigned to an already existing connection, causing 0 connectivity across the network for the VPN user.


I presume this is a failure of communication between the firewall and ACS in terms of which connections are still alived and what IPs should be available.


Does anyone have any experience/knowledge with this issue or perhaps can clue me in to the mechanics of how the ACS and firewall interact in terms of active connection information?


Thanks in advance.


Hi,


It can be possible that ACS is realeasing the ip address what is assigned to connection,check out the following configuration in ACS for IP Address Recovery configuration what is the time is configured to realese assigned ip address from ACS.


Hope to help


If helpful do rate


Ganesh.H

Brad User Tue, 02/02/2010 - 07:16
User Badges:

Thank you for the response. It is currently set for 2 hours, but I guess I'm confused as to some of the terminology in regards to it releasing IP addresses not in use.


For example, if there is a valid VPN connection for 4 hours, it seems that the ACS will recover the IP after 2 hours, so does that mean 2 hours in, the IP will get re-assigned regardless? Or is there supposed to be some mechanism in place that says the connection is still valid so the IP is kept assigned beyond the 2 hour period?


Thanks again.

Correct Answer
Ganesh Hariharan Tue, 02/02/2010 - 08:17
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Thank you for the response. It is currently set for 2 hours, but I guess I'm confused as to some of the terminology in regards to it releasing IP addresses not in use.


For example, if there is a valid VPN connection for 4 hours, it seems that the ACS will recover the IP after 2 hours, so does that mean 2 hours in, the IP will get re-assigned regardless? Or is there supposed to be some mechanism in place that says the connection is still valid so the IP is kept assigned beyond the 2 hour period?


Thanks again.


Hi,


I dont think there is some mechanism if ACS is providing the ip address to client but yes you can adjust the realease time. I would suggest you to make time to 5-6 hrs which we have configured in our Data center the time is so large is the fact is user cannot work for more than contnous for 5 to 6 hrs if at all then connection will break and once agin he will be assigned with new ip address once user connects.It wont be problem in normal network.


Hope to help


If helpful do rate


Ganesh.H

Brad User Tue, 02/02/2010 - 12:15
User Badges:

Thank you. For now, I'll just extend the Recovery time to a more lengthy period as we look into configuring the firewall to force drop connections, preferably based on IP pool.

amjadhalim Sat, 02/13/2010 - 23:48
User Badges:

Dear

Im facing the same problem with my ACS, it forgets the assigned IP and tries to give the same IP to a different client, which makes conflict and disconnect the new session, error 433 from the client side.

after reading your post I set the release period to 24 hours, may be this will fix this problem

Actions

This Discussion