VPN with ASA and ACS Pools

Unanswered Question
Aug 3rd, 2010
User Badges:

Our VPN RAS Solution uses an ASA 5520 and  the Cisco ACS to identify Users.

The ACS also delievers the IP-Addresses.

Sometimes it works, sometimes not.

The connection stops after authentication with Error 433.

When I use ab IP-Pool in the Tunnel-Groupof the ASA, everything works fine.

Can anyone help?


ASA  5520
Cisco  Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version  6.0(3)
CiscoSecure  ACS
Release 4.2(1) Build 15 Patch 2
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Sat, 08/07/2010 - 09:37
User Badges:
  • Green, 3000 points or more


The VPN RAS clients always authenticate against the ACS (what changes on both scenarios is only who delivers the IP address ASA or ACS), so I don't think there's a communication loss problem between the ASA and the ACS when this happens.

When the VPN connection fails, (the ACS is delivering the IPs), do you get a message on the ASA showing that it was unable to receive an IP for the VPN client (debug cry ipsec 127)? You should get a similar message on the VPN client logs as well.


jens.itzke Thu, 08/12/2010 - 02:34
User Badges:


you are right.

Communication between ASA and ACS should be ok, authentication works fine.

Using the ACS as Address Pool and fails:

Debug Message:

"Group=x, username=x, IP=x,IKE recieved response of type[] to a request from the IP address utility"

"Group=x, username=x, IP=x, Cannot obtain an IP address for remote peer"



This Discussion