Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN client , 3000 concentrator cowork with ACS , Window AD

I have set up a VPN 3005 (v.3.0.2) concentrator , ACS 3.2v with external user database direct to Window AD for running Radius to authenticate VPN client user . However , it always fail even though the IPsec tunnel has been established and the username/password has been accepted by ACS and I also see it succeed from VPN 3005 . What is the problem most likely ? Is it possible the OS in VPN 3000 is to old ?

3 REPLIES
New Member

Re: VPN client , 3000 concentrator cowork with ACS , Window AD

since the 3005 is reporting all is well, do you get any messages in the Windows Servers 'Event Viewer'?

if so are there any IAS, Login, or related System messages?

Are the Remote Dialin Permissions set correctly?

Have you checked the VPN Client log?

if so, what errors

heres an excellent tech doc

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800c3917.shtml

New Member

Re: VPN client , 3000 concentrator cowork with ACS , Window AD

The VPN client log as below :

21 09:13:31.904 10/30/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 203.69.147.250

22 09:13:31.904 10/30/03 Sev=Info/6 IKE/0x63000052

Sent a keepalive on the IKE SA

23 09:13:38.083 10/30/03 Sev=Info/4 CM/0x63100017

xAuth application returned

24 09:13:38.083 10/30/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 203.69.147.250

25 09:13:38.293 10/30/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 203.69.147.250

26 09:13:38.293 10/30/03 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 203.69.147.250

27 09:13:38.293 10/30/03 Sev=Info/4 CM/0x63100015

Launch xAuth application

28 09:13:52.233 10/30/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 203.69.147.250

29 09:13:52.233 10/30/03 Sev=Info/6 IKE/0x63000052

Sent a keepalive on the IKE SA

30 09:14:12.262 10/30/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 203.69.147.250

31 09:14:12.262 10/30/03 Sev=Info/6 IKE/0x63000052

Sent a keepalive on the IKE SA

32 09:14:32.291 10/30/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 203.69.147.250

33 09:14:32.291 10/30/03 Sev=Info/6 IKE/0x63000052

Sent a keepalive on the IKE SA

34 09:14:38.439 10/30/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 203.69.147.250

35 09:14:38.439 10/30/03 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 203.69.147.250

36 09:14:52.319 10/30/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 203.69.147.250

37 09:14:52.319 10/30/03 Sev=Info/6 IKE/0x63000052

Sent a keepalive on the IKE SA

38 09:15:12.348 10/30/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 203.69.147.250

39 09:15:12.348 10/30/03 Sev=Info/6 IKE/0x63000052

Sent a keepalive on the IKE SA

40 09:15:32.377 10/30/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 203.69.147.250

41 09:15:32.377 10/30/03 Sev=Info/6 IKE/0x63000052

Sent a keepalive on the IKE SA

Then it prompt the login window again .

New Member

Re: VPN client , 3000 concentrator cowork with ACS , Window AD

have you checked the ACS logs in 'Report and Activity' to see whats going on with the Usernames (XAuth) authentication?

The Group authentication must be good or IKE Phase1 would not have went to the XAuth step. Check your logs (VPN Concentrator, ACS, and NT-Event Viewer). They should point you in the right direction.

86
Views
0
Helpful
3
Replies
CreatePlease to create content