ASA 5510 VPN Remote Access with Radius authentication issue

Unanswered Question
Jul 14th, 2010

Hello,

I have a Cisco ASA 5510 with a remote access vpn configuration. I authenticate the users using a Radius server.The problem is that only two simultaneous users can connect (ping) my local network, after the 3rd user authenticate the VPN it can't ping the local network, but the two first users to login can ping and connect to my local network.

I dont have limited users on the ASA, all the users can authenticate, i can't see anything relevant in the syslog log file, can it be the Radius Server? it's installed in an old server.

I will really appreciate any help.

This is a portion of my configuration file:

access-list vpn extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.255.0

ip ippool 10.0.0.1 - 10.0.0.254


aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (ethernet1) host 192.168.0.100


crypto ipsec transform-set myset1 esp-3des esp-sha-hmac

crypto dynamic-map dynmap1 20 set transform-set myset1

crypto map vpnmap 65535 ipsec-isakmp dynamic dynmap1
crypto map vpnmap interface ethernet0

crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp identity address
crypto isakmp enable ethernet0

group-policy RA-VPN internal
group-policy RA-VPN attributes
wins-server value 192.168.0.70
dns-server value 8.8.4.4
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn

tunnel-group RA-VPN general-attributes
address-pool ippool
authentication-server-group (ethernet0) partnerauth
default-group-policy RA-VPN
tunnel-group  ipsec-attributes
pre-shared-key *****

Regards,

Layard Terrero

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kenrandrews Wed, 07/14/2010 - 08:12

When the third user connects do they get a valid IP? If so can you do a packet capture and see how far the packets are getting, as in never leaving the PC or making into the network and then not back out?

I don't see why it would be the radius server because all it is doing is authentication, unless you have some Authorization set up as well. If you really want to rule it out, just setup some local users and log directly into the ASA.

layardterrero Wed, 07/14/2010 - 08:18

The 3rd user get a valid ip address, in the VPN client i see the transmitted packets encrypted, but no encrypted packets received, so i guees that the traffic is not returning back.

I don't understand why it happens just with the 3rd user, i think that if it was a network issue it should happen with every users. What do you think?

Regards

kenrandrews Wed, 07/14/2010 - 08:34

Yeah that is puzzling me as well. I am assuming that the third user is not always the same user or computer, right? Also you don't have more than one user coming from the same NATed IP address correct?

Have you tried starting from scratch and using the VPN Wizard for a base config just to see if that works?

layardterrero Wed, 07/14/2010 - 08:57

That's really what im gonna do if i dont get the direct solution (the one that i really want), comming from scratch. The users come from different computers and ip addresses.

kenrandrews Wed, 07/14/2010 - 09:07

Sorry I don't have anything else for you this seems like a fluke thing to me. What happens if you ping the 3rd user from inside the network?

The best way I can think of to track this down is just do packet captures to follow the packets through the network and figure out where they are dropping(look into the Capture command). That will give you at least a starting point to figure out where to start looking. You could also try the Packet Tracer tool inside the ASDM, but that is kind of limited in this case.

layardterrero Wed, 07/14/2010 - 17:33

Another idea?? :S tomorow i run the capture command

I will really appreciate any idea or help.

layardterrero Sun, 07/18/2010 - 19:05

I configured it again with the NAT-T enabled, it solved the problem.

Regards,

shivudu1984 Tue, 12/28/2010 - 11:02

Hi

Can you post the config with NAT-T enabled?? Currently i am configuring RAVPN on Cisco 5510 with windows server 2008 R2 as my RADIUS server.

Thanks

Actions

This Discussion