Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA, Microsoft VPN client and Active Directory again

Hell!

I've successfully setup ASA5510 + VPN client + Local author+authen, checked if VPN tunnel is established and it was. Then I followed http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml to setup Kerberos authentication + LDAP authorization, I checked the time settings and Preauthorization in AD for the test vpn user, then I tested both functions. It worked.

However, when I try to establish VPN connection using the very same username as when I test from ASDM, I get the following output in the Real Time Log Viewer

4|Jan 19 2009|17:36:11|713903|||||Group = DefaultRAGroup, IP = 195.128.91.24, Information Exchange processing failed

4|Jan 19 2009|17:36:01|113019|||||Group = DefaultRAGroup, Username = , IP = 195.128.91.24, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:02s, Bytes xmt: 800, Bytes rcv: 1098, Reason: L2TP initiated

6|Jan 19 2009|17:36:01|602304|||||IPSEC: An outbound remote access SA (SPI= 0x0F05B74A) between 195.128.91.254 and 195.128.91.24 (user= DefaultRAGroup) has been deleted.

6|Jan 19 2009|17:36:01|602304|||||IPSEC: An inbound remote access SA (SPI= 0xCCD70173) between 195.128.91.254 and 195.128.91.24 (user= DefaultRAGroup) has been deleted.

6|Jan 19 2009|17:36:01|603107|||||L2TP Tunnel deleted, tunnel_id = 82, remote_peer_ip = 195.128.91.24

6|Jan 19 2009|17:36:01|603106|||||L2TP Tunnel created, tunnel_id is 82, remote_peer_ip is 195.128.91.24

4|Jan 19 2009|17:36:01|737013|||||IPAA: Error freeing address 0.0.0.0, not found

6|Jan 19 2009|17:36:01|113005|||||AAA user authentication Rejected : reason = Unspecified : server = 192.168.91.25 : user = vpnclient

6|Jan 19 2009|17:36:00|302015|192.168.91.25|88|192.168.91.11|61682|Built outbound UDP connection 842 for inside:192.168.91.25/88 (192.168.91.25/88) to identity:192.168.91.11/61682 (192.168.91.11/61682)

6|Jan 19 2009|17:36:00|302015|195.128.91.24|1753|195.128.91.254|1701|Built inbound UDP connection 841 for outside:195.128.91.24/1753 (195.128.91.24/1753) to identity:195.128.91.254/1701 (195.128.91.254/1701)

5|Jan 19 2009|17:35:59|713120|||||Group = DefaultRAGroup, IP = 195.128.91.24, PHASE 2 COMPLETED (msgid=d365e0c5)

6|Jan 19 2009|17:35:59|602303|||||IPSEC: An inbound remote access SA (SPI= 0xCCD70173) between 195.128.91.254 and 195.128.91.24 (user= DefaultRAGroup) has been created.

5|Jan 19 2009|17:35:59|713049|||||Group = DefaultRAGroup, IP = 195.128.91.24, Security negotiation complete for User () Responder, Inbound SPI = 0xccd70173, Outbound SPI = 0x0f05b74a

6|Jan 19 2009|17:35:59|602303|||||IPSEC: An outbound remote access SA (SPI= 0x0F05B74A) between 195.128.91.254 and 195.128.91.24 (user= DefaultRAGroup) has been created.

6|Jan 19 2009|17:35:59|713177|||||Group = DefaultRAGroup, IP = 195.128.91.24, Received remote Proxy Host FQDN in ID Payload: Host Name: ws-nsk02.compumark.lexmark.ru Address 195.128.91.24, Protocol 17, Port 1701

5|Jan 19 2009|17:35:59|713119|||||Group = DefaultRAGroup, IP = 195.128.91.24, PHASE 1 COMPLETED

6|Jan 19 2009|17:35:59|113009|||||AAA retrieved default group policy (DefaultRAGroup) for user = DefaultRAGroup

4|Jan 19 2009|17:35:59|713903|||||Group = DefaultRAGroup, IP = 195.128.91.24, Freeing previously allocated memory for authorization-dn-attributes

6|Jan 19 2009|17:35:59|713172|||||Group = DefaultRAGroup, IP = 195.128.91.24, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device

If I switch back to local authentication and authorization VPN clients get connected without any problem.

Why is the reason unspecified and what else should I check?

Thank you!

3 REPLIES

Re: ASA, Microsoft VPN client and Active Directory again

Can you go ahead and set the tunnel ppp attributes to be PAP instead of mschap v2 and try again? if that does not work then go ahead and set debug kerberos 128 and upload the debugs. Also make sure your client is set to pap when testing this l2tp connection.

New Member

Re: ASA, Microsoft VPN client and Active Directory again

Thank you!

I've tried PAP and it worked without any problem. Then I switched back to MS-CHAP-V2 and it didn't. Setting debug kerberos 128 lead to the following output while VPN client reporting "Verifying username and password" and the last 2 strings seem continue on the console until I force "exit" command in the terminal session.

Do you have any ideas what goes wrong here?

Thank you!

Re: ASA, Microsoft VPN client and Active Directory again

I am not entirely sure if Kerberos as a protocol supports mschap v2 hashing that's why when setting it to PAP it worked fine. I would go ahead and check the settings on your AD server to verify whether mschapv2 is accepted by it.

671
Views
0
Helpful
3
Replies