Solved: Remote Access VPN IP Address-Lease (Tunnel) Issue

mjauner · ‎10-25-2010

Hello

I got machines in the Internet connetcted to our LAN via Cisco VPN Client. IPSec Termination is ASA 5520.

Physical address is provided by customers internet provider.

Tunnel Adress we deliver from our LAN infrastructure.

The prpblem is, if the customer terminates and reconnects VPN, the connection get alwys a new tunnel - address.

The issue exists by "normal" termination (disconnect the vpn client) or when timeout or a break in customers internet-connection.

For administration purposes we need the customer get same IP.Release-time for tunnel-adresses ist set 120 minutes.

Maybe IPsec can not handle this ?

Thank you for help!

Martin

Marcin Latosiewicz · ‎10-25-2010

Martin,

As far as I know we cannot change this behavior.

Let me ask like this, what would be the purpose of monitoring users via same IP address and not their username?

What sort of information are you extracting and what sort of information are you building with it?

Marcin

View solution in original post

Marcin Latosiewicz · ‎10-25-2010

Martin,

Why not assign users with same IP address?

It can be done by vpn-framed-ip under user attributes or from RADIUS/LDAP almost out of the box.

Marcin

mjauner · ‎10-25-2010

Marcin,

Thank you for your suggestion.

Fact ist, that we do XAUTH with OTP (ActivIdentity) into the AD.

It is not possible to change something in the AD's structure, so we can't use " vpn-framed-ip".

And to assign fixed for almost 4000 Users is difficult.

Hope i did understand correct your suggestion.

Now I found that the VPN Client changes his "UID" in DHCP request from connect to connect. This is the reason for assigning different IP's.

If we could change this behavior, I think thats the solution. But is it possible ?

See attached.

Martin

Marcin Latosiewicz · ‎10-25-2010

Martin,

As far as I know we cannot change this behavior.

Let me ask like this, what would be the purpose of monitoring users via same IP address and not their username?

What sort of information are you extracting and what sort of information are you building with it?

Marcin

mjauner · ‎10-25-2010

Marcin,

We do a Single Sign On - Application in our Proxy.

If the VPN disconnect/reconnect the Session identification based on IP wont't work, and it does a fallback from SSO to manuell authnetication.

(Proxy Windwos SSO vs. Proxy LDAP with UID/PW)

After fallback, Windows has to be restartet before SSO works again.

So, if it's not possible to change the behavior, we hav to live with and if the tunnel was down user has to restart PC.

Martin

Marcin Latosiewicz · ‎10-25-2010

Martin,

There is no easily scalabale way on the ASA to assign the same IP address every time apart from the mentioned ones.

Some brainstorming, might be completly off the point:

How does the SSO know which IP address to expect?

I understand that a username - IP address association is done and this is used for SSO.

After restarting VPN we get a username - but different IP.

Is there no keepalive mechanism built into the state machine keeping association? I mean that's the point of keeping username - IP address association if that IP is no longer available.

Setting (idle?) lifetime of association equal more or less to VPN timeouts could be a possibility maybe?

Marcin