02-01-2010 12:38 PM - edited 03-10-2019 04:55 PM
Hi, hopefully I'm posting this in the right place and give the illusion that I have some idea of what I'm talking about. If not, I apologize and would appreciate any relevant input.
My problem is that after properly authenticating to ACS/RSA, VPN users receive a proper IP address from their respective group's IP Pool, however the ACS seems to forget that the IP address had been assigned after a while so, for example, it shows 0 IP address assigned when the firewall is reporting that there are 4 active connections. What will inevitably happen is someone will end up getting assigned an IP previously assigned to an already existing connection, causing 0 connectivity across the network for the VPN user.
I presume this is a failure of communication between the firewall and ACS in terms of which connections are still alived and what IPs should be available.
Does anyone have any experience/knowledge with this issue or perhaps can clue me in to the mechanics of how the ACS and firewall interact in terms of active connection information?
Thanks in advance.
Solved! Go to Solution.
02-02-2010 08:17 AM
Thank you for the response. It is currently set for 2 hours, but I guess I'm confused as to some of the terminology in regards to it releasing IP addresses not in use.
For example, if there is a valid VPN connection for 4 hours, it seems that the ACS will recover the IP after 2 hours, so does that mean 2 hours in, the IP will get re-assigned regardless? Or is there supposed to be some mechanism in place that says the connection is still valid so the IP is kept assigned beyond the 2 hour period?
Thanks again.
Hi,
I dont think there is some mechanism if ACS is providing the ip address to client but yes you can adjust the realease time. I would suggest you to make time to 5-6 hrs which we have configured in our Data center the time is so large is the fact is user cannot work for more than contnous for 5 to 6 hrs if at all then connection will break and once agin he will be assigned with new ip address once user connects.It wont be problem in normal network.
Hope to help
If helpful do rate
Ganesh.H
02-01-2010 10:59 PM
Hi, hopefully I'm posting this in the right place and give the illusion that I have some idea of what I'm talking about. If not, I apologize and would appreciate any relevant input.
My problem is that after properly authenticating to ACS/RSA, VPN users receive a proper IP address from their respective group's IP Pool, however the ACS seems to forget that the IP address had been assigned after a while so, for example, it shows 0 IP address assigned when the firewall is reporting that there are 4 active connections. What will inevitably happen is someone will end up getting assigned an IP previously assigned to an already existing connection, causing 0 connectivity across the network for the VPN user.
I presume this is a failure of communication between the firewall and ACS in terms of which connections are still alived and what IPs should be available.
Does anyone have any experience/knowledge with this issue or perhaps can clue me in to the mechanics of how the ACS and firewall interact in terms of active connection information?
Thanks in advance.
Hi,
It can be possible that ACS is realeasing the ip address what is assigned to connection,check out the following configuration in ACS for IP Address Recovery configuration what is the time is configured to realese assigned ip address from ACS.
Hope to help
If helpful do rate
Ganesh.H
02-02-2010 07:16 AM
Thank you for the response. It is currently set for 2 hours, but I guess I'm confused as to some of the terminology in regards to it releasing IP addresses not in use.
For example, if there is a valid VPN connection for 4 hours, it seems that the ACS will recover the IP after 2 hours, so does that mean 2 hours in, the IP will get re-assigned regardless? Or is there supposed to be some mechanism in place that says the connection is still valid so the IP is kept assigned beyond the 2 hour period?
Thanks again.
02-02-2010 08:17 AM
Thank you for the response. It is currently set for 2 hours, but I guess I'm confused as to some of the terminology in regards to it releasing IP addresses not in use.
For example, if there is a valid VPN connection for 4 hours, it seems that the ACS will recover the IP after 2 hours, so does that mean 2 hours in, the IP will get re-assigned regardless? Or is there supposed to be some mechanism in place that says the connection is still valid so the IP is kept assigned beyond the 2 hour period?
Thanks again.
Hi,
I dont think there is some mechanism if ACS is providing the ip address to client but yes you can adjust the realease time. I would suggest you to make time to 5-6 hrs which we have configured in our Data center the time is so large is the fact is user cannot work for more than contnous for 5 to 6 hrs if at all then connection will break and once agin he will be assigned with new ip address once user connects.It wont be problem in normal network.
Hope to help
If helpful do rate
Ganesh.H
02-02-2010 12:15 PM
Thank you. For now, I'll just extend the Recovery time to a more lengthy period as we look into configuring the firewall to force drop connections, preferably based on IP pool.
02-13-2010 11:48 PM
Dear
Im facing the same problem with my ACS, it forgets the assigned IP and tries to give the same IP to a different client, which makes conflict and disconnect the new session, error 433 from the client side.
after reading your post I set the release period to 24 hours, may be this will fix this problem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide