I have an ACS that handles authentication/authorization for our VPN Concentrator. I noticed more and more that I have to reboot the ACS frequently because it would stop authenticating folks at some point. When I try to login it kicks back with an error indicating maxed administrative sessions. ACS should time out sessions if they aren't being used, correct?
You are hitting bug CSCse26754. ACS/ACSE Administration may do limited session validation. After successful login, ACS does only limited session validation by matching the IP alone. This is due to a weakness in the default configuration of ACS.
Just so I'm understanding that bug, you're using port 2002 to login but after a successful login you then use a random port from 1024 and up to 6xxxx. Thereafter, ACS will only look at port and not the IP address. I'm not sure how that relates to my experience of ACS not being able to authenticate users through to Novell or Active Directory after a period of time? It will say authentication failed if you telnet to a device that does AAA or login through VPN client off a concentrator who is talking to ACS for AAA.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...