VPN with ASA and ACS Pools

Unanswered Question
Aug 3rd, 2010

Our VPN RAS Solution uses an ASA 5520 and  the Cisco ACS to identify Users.

The ACS also delievers the IP-Addresses.

Sometimes it works, sometimes not.

The connection stops after authentication with Error 433.

When I use ab IP-Pool in the Tunnel-Groupof the ASA, everything works fine.

Can anyone help?


ASA  5520
Cisco  Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version  6.0(3)
CiscoSecure  ACS
Release 4.2(1) Build 15 Patch 2
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Sat, 08/07/2010 - 09:37


The VPN RAS clients always authenticate against the ACS (what changes on both scenarios is only who delivers the IP address ASA or ACS), so I don't think there's a communication loss problem between the ASA and the ACS when this happens.

When the VPN connection fails, (the ACS is delivering the IPs), do you get a message on the ASA showing that it was unable to receive an IP for the VPN client (debug cry ipsec 127)? You should get a similar message on the VPN client logs as well.


jens.itzke Thu, 08/12/2010 - 02:34


you are right.

Communication between ASA and ACS should be ok, authentication works fine.

Using the ACS as Address Pool and fails:

Debug Message:

"Group=x, username=x, IP=x,IKE recieved response of type[] to a request from the IP address utility"

"Group=x, username=x, IP=x, Cannot obtain an IP address for remote peer"



This Discussion