08-03-2010 07:51 AM
Our VPN RAS Solution uses an ASA 5520 and the Cisco ACS to identify Users.
The ACS also delievers the IP-Addresses.
Sometimes it works, sometimes not.
The connection stops after authentication with Error 433.
When I use ab IP-Pool in the Tunnel-Groupof the ASA, everything works fine.
Can anyone help?
Hardware:
08-07-2010 09:37 AM
Hi,
The VPN RAS clients always authenticate against the ACS (what changes on both scenarios is only who delivers the IP address ASA or ACS), so I don't think there's a communication loss problem between the ASA and the ACS when this happens.
When the VPN connection fails, (the ACS is delivering the IPs), do you get a message on the ASA showing that it was unable to receive an IP for the VPN client (debug cry ipsec 127)? You should get a similar message on the VPN client logs as well.
Federico.
08-12-2010 02:34 AM
Hi,
you are right.
Communication between ASA and ACS should be ok, authentication works fine.
Using the ACS as Address Pool and fails:
Debug Message:
"Group=x, username=x, IP=x,IKE recieved response of type[] to a request from the IP address utility"
"Group=x, username=x, IP=x, Cannot obtain an IP address for remote peer"
Jens
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide