Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn-addr-assign via DHCP

Hi,

We are facing some intermittent issue while connecting RA vpn users. This issue has started after upgrading ASA 5545-X 9.1.2 to 9.1.5-(10).

VPN users are successfully authenticated as per ACS logs, but its not able to complete the Phase 2 negotiation. VPN user ip address is configured to assigned from DHCP. However this is kind of intermittent as same users are able to connect some time, but not all the times.

Here is the configuration of one of the profiles and we have 3 similar vpn profiles.

 

group-policy XXX-VPN-Policy internal
group-policy XXX-VPN-Policy attributes
 dns-server value x.x.x.x y.y.y.y
 dhcp-network-scope 172.20.25.0

 vpn-simultaneous-logins 3

 vpn-filter value VPN-FLTR-ACL
 vpn-tunnel-protocol ikev1 ikev2 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value xxx-VPN-ACL
 default-domain value xxxx

!

tunnel-group xxxx-VPN type remote-access
tunnel-group xxxx-VPN general-attributes
 address-pool xxxx-VPNPool-02
 authentication-server-group RADIUS
 default-group-policy  XXX-VPN-Policy
 dhcp-server 10.10.xx.xx
tunnel-group  xxxx-VPN ipsec-attributes
 ikev1 pre-shared-key *****

 

Can anyone advise what could be the issue, could this be a known bug.?

thanks in advance.

 

 

 

2 REPLIES

Hi, Do you see any logs when

Hi,

 

Do you see any logs when it fails?

 

Issue the below mentioned command and see if it improves the situation.

 

no vpn-addr-assign aaa
no vpn-addr-assign local

!

run

debug crypto ipsec 7

to see the logs during ipsec phase 2.

 

Regards

Karthik

New Member

Hi Karthik, Thanks for your

Hi Karthik,

 

Thanks for your reply, we can't use "no vpn-addr-assign local" command as some of the VPN groups are using ip address from local assigned pool.

 

Its a mix of both combination (local+DHCP)


Thanks for your time..

99
Views
0
Helpful
2
Replies