Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote Access VPN IP Address-Lease (Tunnel) Issue

Hello

I got machines in the Internet connetcted to our LAN via Cisco VPN Client. IPSec Termination is ASA 5520.

Physical address is provided by customers internet provider.

Tunnel Adress we deliver from our LAN infrastructure.

The prpblem is, if the customer terminates and reconnects VPN, the connection get alwys a new tunnel - address.

The issue exists by "normal" termination  (disconnect the vpn client) or when timeout or a break in customers internet-connection.

For administration purposes we need the customer get same IP.Release-time for tunnel-adresses ist set 120 minutes.

Maybe IPsec can not handle this ?

Thank you for help!

Martin

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Remote Access VPN IP Address-Lease (Tunnel) Issue

Martin,

As far as I know we cannot change this behavior.

Let me ask like this, what would be the purpose of monitoring users via same IP address and not their username?

What sort of information are you extracting and what sort of information are you building with it?

Marcin

5 REPLIES
Cisco Employee

Re: Remote Access VPN IP Address-Lease (Tunnel) Issue

Martin,

Why not assign users with same IP address?

It can be done by vpn-framed-ip under user attributes or from RADIUS/LDAP almost out of the box.

Marcin

New Member

Re: Remote Access VPN IP Address-Lease (Tunnel) Issue

Marcin,

Thank you for your suggestion.

Fact ist, that we do XAUTH with OTP (ActivIdentity) into the AD.

It is not possible to change something in the AD's structure, so we can't use " vpn-framed-ip".

And to assign fixed for almost 4000 Users is difficult.

Hope i did understand correct your suggestion.

Now I found that the VPN Client changes his "UID" in DHCP request from connect to connect. This is the reason for assigning different IP's.

If we could change this behavior, I think thats the solution. But is it possible ?

See attached.

Martin

Cisco Employee

Re: Remote Access VPN IP Address-Lease (Tunnel) Issue

Martin,

As far as I know we cannot change this behavior.

Let me ask like this, what would be the purpose of monitoring users via same IP address and not their username?

What sort of information are you extracting and what sort of information are you building with it?

Marcin

New Member

Re: Remote Access VPN IP Address-Lease (Tunnel) Issue

Marcin,

We do a Single Sign On  - Application in our Proxy.

If the VPN disconnect/reconnect the Session identification based on IP wont't work, and it does a fallback from SSO to manuell authnetication.

(Proxy Windwos SSO vs. Proxy LDAP with UID/PW)

After fallback, Windows has to be restartet before SSO works again.

So, if it's not possible to change the behavior, we hav to live with and if the tunnel was down user has to restart PC.

Martin

Cisco Employee

Re: Remote Access VPN IP Address-Lease (Tunnel) Issue

Martin,

There is no easily scalabale way on the ASA to assign the same IP address every time apart from the mentioned ones.

Some brainstorming, might be completly off the point:

How does the SSO know which IP address to expect?

I understand that a username - IP address association is done and this is used for SSO.

After restarting VPN we get a username - but different IP.

Is there no keepalive mechanism built into the state machine keeping association? I mean that's the point of keeping username - IP address association if that IP is no longer available.

Setting (idle?) lifetime of association equal more or less to VPN timeouts could be a possibility maybe?

Marcin

499
Views
0
Helpful
5
Replies