08-03-2010 07:51 AM
Our VPN RAS Solution uses an ASA 5520 and the Cisco ACS to identify Users.
The ACS also delievers the IP-Addresses.
Sometimes it works, sometimes not.
The connection stops after authentication with Error 433.
When I use ab IP-Pool in the Tunnel-Groupof the ASA, everything works fine.
Can anyone help?
Hardware:
08-07-2010 09:37 AM
Hi,
The VPN RAS clients always authenticate against the ACS (what changes on both scenarios is only who delivers the IP address ASA or ACS), so I don't think there's a communication loss problem between the ASA and the ACS when this happens.
When the VPN connection fails, (the ACS is delivering the IPs), do you get a message on the ASA showing that it was unable to receive an IP for the VPN client (debug cry ipsec 127)? You should get a similar message on the VPN client logs as well.
Federico.
08-12-2010 02:34 AM
Hi,
you are right.
Communication between ASA and ACS should be ok, authentication works fine.
Using the ACS as Address Pool and fails:
Debug Message:
"Group=x, username=x, IP=x,IKE recieved response of type[] to a request from the IP address utility"
"Group=x, username=x, IP=x, Cannot obtain an IP address for remote peer"
Jens
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: