Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5540 Not Authenticating

Our ASA 5540 has just started to deny all inbound connections for VPN with the following messages:

106023 Deny udp src dmz:...

713048 Error processing payload:

713048 Sending IKE Delete No Reason Prvd

713902 Removing peer from peer tabl fld

713903 Error. Unable to Remove Peer

Upon connection regardless of user when username and password are entered the fields immediately clear and no login occurs.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5540 Not Authenticating

Go figure.... it usually ends on a human mistake :P

12 REPLIES

Re: ASA 5540 Not Authenticating

Can you post here the next debugs "debug crypto isakmp 50"? To check whether authentication is the issue, you can go ahead and issue a test command on the asa for your authentication "test aaa authentication " type in the username and password and see if it fails or passes.

New Member

Re: ASA 5540 Not Authenticating

Will do. Just a side point is that the asa time was actually two hours off of the accurate time. It was reset to the current time but authentication still did not work. I'm getting the debus now and will post them.

New Member

Re: ASA 5540 Not Authenticating

Actually the good news is that we can access the asa directly but apparently the connection between the asa and the active directory server is not working. When we tested authentication it says the server is unavailable.

Re: ASA 5540 Not Authenticating

OK, what is the authentication protocol in use? Can he ASA reach it via ping?

New Member

Re: ASA 5540 Not Authenticating

We can ping the AD server from ASA. The client is using UDP, the AD Group is using RADIUS but when authenticating from within asa authentication server is unavailable.

Re: ASA 5540 Not Authenticating

So the protocol that you are using to communicate the ASA to the AD is radius, assuming via AIS, what do you see on the Event Viewer of your server?

Re: ASA 5540 Not Authenticating

Sorry Typo, I meant IAS, do you see the authentication request on the server? run a debug radius all on the asa with the test, do you see any error there?

New Member

Re: ASA 5540 Not Authenticating

Your going to love this. First I'm actually a contract programmer analyst developing a web reporting module for an insurance company. Second the IT department is limited and they ask my help ocassionaly.

Now for the good part.

The problem first started happening on Saturday afternoon. Obviously something changed at that point.

wait for it..

..

..

..

The Manager of IT decided to set the IAS server to dynamic IP and use the static IP on another server.

That ones a keeper.

Re: ASA 5540 Not Authenticating

Go figure.... it usually ends on a human mistake :P

New Member

Re: ASA 5540 Not Authenticating

The pointy haired boss strikes again. GRR!

He changed the IAS server to a new static IP on a different subnet and updated DNS to point to the new IP.

Even when the ASA is configured to point to the IP of the IAS server it fails authentication even though it can being pinged.

I have a gut feeling that there is DNS corruption somewhere and that while the ASA can ping the server IP it fails on authentication due to incorrect name resolution.

My simple question is if there is a way to hardcode server name, ip and subnet mask in the ASA so that no matter what he screws up on the network as long as we keep the IAS and ASA configured properly it would work.

P.S.

This is why I got out of network engineering.

New Member

Re: ASA 5540 Not Authenticating

Just a heads up. If you mess around with the DNS and IP addressees to much just remember to clear out your DNS cache and tables on your ASA.

Problem Solved,

New Member

Re: ASA 5540 Not Authenticating

Your going to love this. First I'm actually a contract programmer analyst developing a web reporting module for an insurance company. Second the IT department is limited and they ask my help ocassionaly.

Now for the good part.

The problem first started happening on Saturday afternoon. Obviously something changed at that point.

wait for it..

..

..

..

The Manager of IT decided to set the IAS server to dynamic IP and use the static IP on another server.

That ones a keeper.

194
Views
0
Helpful
12
Replies
CreatePlease login to create content