Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ASA 5520 to ACS

I am setting up VPN on an ASA 5520 running version 8.2(3).  I used the wizard to get it setup.  I have two ACS servers located on different subnets than my ASA across an MPLS network.  I am able to ping other servers on both these subnets from my ASA.  Ping is disabled on the ACS boxes themselves.  When I attempt to VPN in, I get a message on the ASA that states

Routing failed to located next hop for TCP from identity: IPADDRESS/63050 to inside: IPADDRESS/49

Any help would be greatly appreciated.  Thanks,

Josh

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5520 to ACS

Hi,

You're trying to VPN in and authenticate against the ACS?

First, verify that the ASA is communicating correctly with the ACS and that the user is valid with the command

test aaa auth cisco host 1.1.1.1 user cisco pass cisco

Change:

cisco --> aaa server group name

1.1.1.1 ---> IP of the ACS

cisco/cisco --> user credentials

If you get a succesful response, then the ASA is authenticating the client fine and we look into the VPN configuration.

If you get a bad response, there's a communication issue between the ASA and the ACS.

Federico.

5 REPLIES

Re: ASA 5520 to ACS

Hi,

You're trying to VPN in and authenticate against the ACS?

First, verify that the ASA is communicating correctly with the ACS and that the user is valid with the command

test aaa auth cisco host 1.1.1.1 user cisco pass cisco

Change:

cisco --> aaa server group name

1.1.1.1 ---> IP of the ACS

cisco/cisco --> user credentials

If you get a succesful response, then the ASA is authenticating the client fine and we look into the VPN configuration.

If you get a bad response, there's a communication issue between the ASA and the ACS.

Federico.

New Member

Re: ASA 5520 to ACS

thanks for your response.  I got an Authentication Successful message when trying this.

I have seen others with the same issue regarding the crypto map configuration.  I don't know much about them but think this might be where my problem is.  I used the wizard to create my VPN, but maybe the crypto map I need to do manually?  Let me know if you agree and/or have any insight to this.  Thanks,

Josh

Re: ASA 5520 to ACS

You can create the entire configuration via ASDM or CLI.

If you get authentication succesful from the ASA, then all the communication between the ASA and ACS is fine.

Are you still getting the error when coming from the VNP client?

If so... do you have the authentication set as local for the VPN client connections?

Federico.

New Member

Re: ASA 5520 to ACS

Sorry was away for a couple days.  So today I tested again and it all worked fine!  Very odd, but I'll take it.

New Member

Re: ASA 5520 to ACS

thanks for your help on this.  I appreciated the clear instructions on that test procedure.

592
Views
5
Helpful
5
Replies
CreatePlease to create content