cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3703
Views
0
Helpful
4
Replies

RSA password change

I have the ASA configured to use RSA tokens when connecting with VPN. The people are not allowed to change the pin when expired or new creation through the vpn.

error from VPN client version 5.0.06.0160

Secure VPN Connection terminated by peer.

Reason 427: Unknown Error Occured at Peer.

Attached is the log from the VPN Client.

AAA config:

aaa-server SDI_Server protocol sdi
aaa-server SDI_Server (inside) host x.x.x.x
aaa-server SDI_Server (inside) host x.x.x.x

group-policy Remote_PCI_Auditors_VPN internal
group-policy Remote_PCI_Auditors_VPN attributes
dns-server value x.x.x.x x.x.x.x

vpn-tunnel-protocol IPSec
default-domain value x.com

address-pools value Remote_PCI_Auditors_VPN_Pool

tunnel-group Remote_PCI_Auditors_VPN type remote-access
tunnel-group Remote_PCI_Auditors_VPN general-attributes
address-pool Remote_PCI_Auditors_VPN_Pool
authentication-server-group SDI_Server
default-group-policy Remote_PCI_Auditors_VPN
strip-realm
password-management
strip-group
tunnel-group Remote_PCI_Auditors_VPN ipsec-attributes
pre-shared-key *
radius-sdi-xauth
!

4 Replies 4

altarum-kmoore
Level 1
Level 1

We have an RSA server in a network that we manage.

How are you querying the user information?  Are you using LDAP to pull user information from a directory?

When we had it installed, or contractor told us that we had to have LDAPS implemented if a user wanted to change their password through the RSA box.  We had to install a certificate (we got Verisign) to make it work.

We have it up and running and have password resets working as well.

It is working. the problem was not our setup, but on the user end. their internet was slow going across the country and it was timming out.

Mudasir Abbas
Level 1
Level 1

Hi,

Please have a look on my configs, Am I missing something coz its not working

aaa-server RSA protocol sdi
aaa-server RSA (Inside) host 10.112.211.160
timeout 5

group-policy XXX attributes
dns-server value 10.112.211.149
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSS-SPLIT
default-domain value jubailrefining.com
address-pools value Alsaeed_pool
webvpn
  svc mtu 1374

tunnel-group SSS type remote-access
tunnel-group SSS general-attributes
address-pool Alsaeed_pool
authentication-server-group RSA
default-group-policy XXX
strip-realm
password-management
strip-group
tunnel-group XXX webvpn-attributes
proxy-auth sdi
group-alias XXX enable
tunnel-group SSS ipsec-attributes
pre-shared-key *
radius-sdi-xauth

Debug sdi

sdi mkreq: 0x4119a
sip_lookup: sip with id 266650 not found
alloc_sip 0xcd219080
    new request 0x4119a --> 0 (0xcd219080)
New SIP state: SDI_NEW (loc 1359)
add_req 0xcd219080 session 0x4119a id 197
init_ace_server: handle 3391925493, server_id 129, server_addr 10.112.211.160, sess_id 266650
New SIP state: SDI_WAIT_INIT_RESP (loc 1000)
In sdi_callback: handle 3391925493, error code 1, sdi_status 0, sess_id 266650, state: 1
New SIP state: SDI_WAIT_LOCK_RESP (loc 1013)
turnaround_time - idx: 0, time: 1
In sdi_callback: handle 3391925493, error code 1, sdi_status 0, sess_id 266650, state: 2
New SIP state: SDI_ERROR (loc 1041)
New SIP state: SDI_DELETE (loc 1146)
remove_req 0xcd219080 session 0x4119a id 197
free_sip 0xcd219080
sdi: send queue empty

Thanks & Regards

Mudasir Abbas

Is the agent on the RSA server setup?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: