Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN with ASA and ACS Pools

Our VPN RAS Solution uses an ASA 5520 and  the Cisco ACS to identify Users.

The ACS also delievers the IP-Addresses.

Sometimes it works, sometimes not.

The connection stops after authentication with Error 433.

When I use ab IP-Pool in the Tunnel-Groupof the ASA, everything works fine.

Can anyone help?

Hardware:

ASA  5520
Cisco  Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version  6.0(3)
----
CiscoSecure  ACS
Release 4.2(1) Build 15 Patch 2
2 REPLIES

Re: VPN with ASA and ACS Pools

Hi,

The VPN RAS clients always authenticate against the ACS (what changes on both scenarios is only who delivers the IP address ASA or ACS), so I don't think there's a communication loss problem between the ASA and the ACS when this happens.

When the VPN connection fails, (the ACS is delivering the IPs), do you get a message on the ASA showing that it was unable to receive an IP for the VPN client (debug cry ipsec 127)? You should get a similar message on the VPN client logs as well.

Federico.

New Member

Re: VPN with ASA and ACS Pools

Hi,

you are right.

Communication between ASA and ACS should be ok, authentication works fine.

Using the ACS as Address Pool and fails:

Debug Message:

"Group=x, username=x, IP=x,IKE recieved response of type[] to a request from the IP address utility"

"Group=x, username=x, IP=x, Cannot obtain an IP address for remote peer"

Jens

972
Views
0
Helpful
2
Replies