Seems really weird. Do they pull an address from a VPN pool? Are they using the same account to connect? You can have a limited user account login, meaning that a user can be restricted to having 3 simultaneous logins and 3 people can be connected using the same login.
Can you post the group policy and your tunnel policy for these users?
This sounds like it could be a NAT issue with the device at that remote site. I suggest you configure "isakmp nat-traversal 20" in your ASA and see if that helps. This will enable UDP encapsulation of the ESP traffic (e.g. the encryted data), which should help prevent issues with having multiple users behind a device performing PAT.
Hopefully someone can help with a similar issue I'm having with a PIX-515e firewall; software version 6.3.4, pdm version 3.0.2.
We're getting constant vpn termination errors (reason 412 and 413) from a group of users at one location. I am by no means a pix guru, but I've verified that nat-t is configured. I can't figure out how to determine if there is a group policy set. I'd be happy to post or email the current config if that will help - it's about 150 lines long.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...