VPN with ASA and ACS Pools

jens.itzke · ‎08-03-2010

Our VPN RAS Solution uses an ASA 5520 and the Cisco ACS to identify Users.

The ACS also delievers the IP-Addresses.

Sometimes it works, sometimes not.

The connection stops after authentication with Error 433.

When I use ab IP-Pool in the Tunnel-Groupof the ASA, everything works fine.

Can anyone help?

Hardware:

ASA 5520

Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.0(3)

----

CiscoSecure ACS
Release 4.2(1) Build 15 Patch 2

Federico Coto Fajardo · ‎08-07-2010

Hi,

The VPN RAS clients always authenticate against the ACS (what changes on both scenarios is only who delivers the IP address ASA or ACS), so I don't think there's a communication loss problem between the ASA and the ACS when this happens.

When the VPN connection fails, (the ACS is delivering the IPs), do you get a message on the ASA showing that it was unable to receive an IP for the VPN client (debug cry ipsec 127)? You should get a similar message on the VPN client logs as well.

Federico.

jens.itzke · ‎08-12-2010

Hi,

you are right.

Communication between ASA and ACS should be ok, authentication works fine.

Using the ACS as Address Pool and fails:

Debug Message:

"Group=x, username=x, IP=x,IKE recieved response of type[] to a request from the IP address utility"

"Group=x, username=x, IP=x, Cannot obtain an IP address for remote peer"

Jens