Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN concentrator to ASA migration - auth. issue

Hi All,

I am in the process of migrating the remote access VPN (IPSec) from VPN 3020 to ASA. Local authentication works fine. If I add IAS radius servers for authentication, then I get the following error message

Secure VPN connection terminated by Peer.

Reason 433: (Reason Not Specified by Peer)

Packet capture shows IAS server returning "access-reject". IAS server is configured the same way as the VPN 3020.

I am running 8.0(0) code on the ASA. Any idea what is causing it?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN concentrator to ASA migration - auth. issue

Hi,

Did you specified the shared secret between asa and IAS?

Did you specified in RADIUS server that ASA is allowed to send queries? In other word did you specified that ASA is a valid NAS?

This link may be useful: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

I hope this helps.

Best regards.

Massimiliano.

3 REPLIES

Re: VPN concentrator to ASA migration - auth. issue

Hi,

Did you specified the shared secret between asa and IAS?

Did you specified in RADIUS server that ASA is allowed to send queries? In other word did you specified that ASA is a valid NAS?

This link may be useful: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml

I hope this helps.

Best regards.

Massimiliano.

New Member

Re: VPN concentrator to ASA migration - auth. issue

The 3030 always sent the domain by default but the ASA does not send it unless the user enters it. Check the System event log on the IAS server and look at the fully-qualified-user-name entry and make sure the domain is correct.

Can you paste the entire System event entry for a user that's being rejected?

New Member

Re: VPN concentrator to ASA migration - auth. issue

Problem solved!

It was the shared secret key after all. I went back to the IAS server guy and asked him to confirm the shared secret and I was using 'l' instead of '1' (one). I entered the correct key and it started working.

Thanks for all the suggestions.

385
Views
0
Helpful
3
Replies