VPN with ASA and ACS Pools

Unanswered Question
Aug 3rd, 2010
User Badges:

Our VPN RAS Solution uses an ASA 5520 and  the Cisco ACS to identify Users.

The ACS also delievers the IP-Addresses.


Sometimes it works, sometimes not.


The connection stops after authentication with Error 433.



When I use ab IP-Pool in the Tunnel-Groupof the ASA, everything works fine.


Can anyone help?



Hardware:

ASA  5520
Cisco  Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version  6.0(3)
----
CiscoSecure  ACS
Release 4.2(1) Build 15 Patch 2
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sat, 08/07/2010 - 09:37
User Badges:
  • Green, 3000 points or more

Hi,


The VPN RAS clients always authenticate against the ACS (what changes on both scenarios is only who delivers the IP address ASA or ACS), so I don't think there's a communication loss problem between the ASA and the ACS when this happens.


When the VPN connection fails, (the ACS is delivering the IPs), do you get a message on the ASA showing that it was unable to receive an IP for the VPN client (debug cry ipsec 127)? You should get a similar message on the VPN client logs as well.


Federico.

jens.itzke Thu, 08/12/2010 - 02:34
User Badges:

Hi,

you are right.

Communication between ASA and ACS should be ok, authentication works fine.


Using the ACS as Address Pool and fails:

Debug Message:

"Group=x, username=x, IP=x,IKE recieved response of type[] to a request from the IP address utility"

"Group=x, username=x, IP=x, Cannot obtain an IP address for remote peer"


Jens

Actions

This Discussion