Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Authentication problems

I have recently upgraded our PIX OS 7.0(5). We are experiencing issues with remote access VPN clients. Phase 1 authentication occurs OK but the user authentication is failing on some accounts. The PIX authenticates against Active Directory.

The strange thing is that some accounts authenticate ok yet other do not. Looking at the accounts there are no obvious differences, all standard user accounts. If I set up a new account it will also work? From the debug kerberos output the only difference between a successful authentication and one that isn't is:

'Kerberos library reports: "unknown"'

Anybody any ideas?



Re: VPN Authentication problems

One frequent cause of authentication failure is clock skew. Be sure that the clocks on the PIX or ASA and your authentication server are synchronized.

Also take a look here, using ASDM...

Hope this helps and if it does please rate post!!


Community Member

Re: VPN Authentication problems

Hi Jay

Yeah, the whole clock skew problem I found during development so its not that I'm afraid. The strange thing is that this was tested against a test domain and worked fine. The other weird thing is that from the same remote client machine we can authenticate using one account but not the others.

I followed the document you listed during development.

Do you know if the PIX can actually authenticate directly against AD? I know I've done this in development but have the feeling I may have fluked something.

I'm a big PIX champion and have been trying to get this in instead of ISA Server. I finally proved that it can work against the domain (something that was required) and now it appears it doesn't work. I'm pretty gutted actually, though it could be a Windows issue?


Re: VPN Authentication problems

Community Member

Re: VPN Authentication problems

Hi Jay

Had a look at that too. The whole reason for upgrading to PIX 7.0 was to get rid of intermediary authentication servers as the sales blurb states.

I'm sure its a Kerberos authentication problem looking at the debug because successful attempts to authenticate then through up LDAP debug as they go on to be authorised.

CreatePlease to create content