VPN Client Password Expiry Issue (ASA & Active Directory)

Unanswered Question
Apr 16th, 2010

VPN Client Password Expiry issue.

ASA 5510 running 8.2(1) image

Cisco VPN Client

Windows Active Directory server 2003

I am currently having issues with the password expiry feature within remote connections authenticating with the Active Directory server.

The Secure LDAP connection is configured and working with user authenticating with Active Directory and getting the correct dynamic policy based on the AD group Membership.

If I set the ‘Users must Change password at next login’ flag on the Active directory user account, the remote user is prompted to enter a new password at the first login as expected. I have entered the ‘Password management’ command on the ASA profile to achieve this, however I was also expecting to get a warning message telling the users ‘Password will expire in n days’ this does not occur.

I have set up an account that has the password due to expire in 12 days, logged into a local windows system to ensure the message is definitely being displayed and the password is set to time out, I have also set ‘password-management password-expire-in-days 14’ (have tried other values) on the ASA. However the ASA log states the password has expired and aborts the connection.

What do I need to do to get this warning message to the end-remote user.

Any assistance is gratefully received.



aaa-server LDAP-RAS-ACCESS protocol ldap

aaa-server LDAP-RAS-ACCESS (inside) host B-ACS-LDAP-SERVER

timeout 5

server-port 636

ldap-base-dn cn=Users,dc=testrig,dc=company,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn cn=administrator,cn=Users,dc=testrig,dc=company,dc=com

ldap-over-ssl enable

server-type microsoft


tunnel-group LDAP-RAS-ACCESS type remote-access

tunnel-group LDAP-RAS-ACCESS general-attributes

address-pool RAS-VPN-POOL

authentication-server-group LDAP-RAS-ACCESS

authentication-server-group (inside) LDAP-RAS-ACCESS

accounting-server-group ACS-RAS-ACCESS


password-management password-expire-in-days 13


tunnel-group LDAP-RAS-ACCESS ipsec-attributes

pre-shared-key *

tunnel-group LDAP-RAS-ACCESS ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
stephen-phillips Fri, 04/16/2010 - 06:10


Thanks for the fast response, I am currently using the default group policy and the group-lock is set to none.

group-lock none



Jennifer Halim Fri, 04/16/2010 - 06:36

Ok, seems to be this bugID CSCsy52125 - pswd-mgmt w/IPSec Client - pssword expires in X days broken

Unfortunately it's an internal bug, so you can't view it through the bug tool kit. The fix is in ASA version 8.2.1(10).

stephen-phillips Mon, 04/19/2010 - 00:44

I have upgraded to version 8.2(2) and am still experiencing the same problem.

I have an account with a password expirying in 10 days, if I set the 'Password Management'  on the ASA to anything less than 10 days the user is allowed access, however if I set it to 10 days or more there are no expiry warning messages and the user is denied access, the ASA log shows the password expirying.

5|Apr 19 2010|10:28:06|713904|||||IP =, Received encrypted packet with no matching SA, dropping
3|Apr 19 2010|10:28:06|713194|||||Group = LDAP-RAS-ACCESS, Username = me, IP =, Sending IKE Delete With Reason message: No Reason Provided.
3|Apr 19 2010|10:28:06|713048|||||Group = LDAP-RAS-ACCESS, Username = me, IP =, Error processing payload: Payload ID: 14
6|Apr 19 2010|10:28:06|725007||22452|||SSL session with server inside: terminated.
6|Apr 19 2010|10:28:06|113005|||||AAA user authentication Rejected : reason = Password is expiring : server = B-ACS-LDAP-SERVER : user = me
6|Apr 19 2010|10:28:06|725002||22452|||Device completed SSL handshake with server inside:
6|Apr 19 2010|10:28:06|725005||22452|||SSL server inside: requesting our device certificate for authentication.
6|Apr 19 2010|10:28:06|725001||22452|||Starting SSL handshake with server inside: for TLSv1 session.



This Discussion