https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149429#M959642 <HTML><HEAD></HEAD><BODY><P>We can ping the AD server from ASA. The client is using UDP, the AD Group is using RADIUS but when authenticating from within asa authentication server is unavailable.</P></BODY></HTML> Thu, 22 Jan 2009 20:37:46 GMT wdhowellsr 2009-01-22T20:37:46Z https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149424#M959631 <P>Our ASA 5540 has just started to deny all inbound connections for VPN with the following messages:</P><P></P><P>106023 Deny udp src dmz:...</P><P>713048 Error processing payload:</P><P>713048 Sending IKE Delete No Reason Prvd</P><P>713902 Removing peer from peer tabl fld</P><P>713903 Error. Unable to Remove Peer</P><P></P><P>Upon connection regardless of user when username and password are entered the fields immediately clear and no login occurs.</P><P></P> Fri, 21 Feb 2020 11:13:56 GMT https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149424#M959631 wdhowellsr 2020-02-21T11:13:56Z https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149425#M959633 <HTML><HEAD></HEAD><BODY><P>Can you post here the next debugs "debug crypto isakmp 50"? To check whether authentication is the issue, you can go ahead and issue a test command on the asa for your authentication "test aaa authentication <AAA server="">" type in the username and password and see if it fails or passes.</AAA></P></BODY></HTML> Thu, 22 Jan 2009 18:59:22 GMT https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149425#M959633 Ivan Martinon 2009-01-22T18:59:22Z https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149426#M959636 <HTML><HEAD></HEAD><BODY><P>Will do. Just a side point is that the asa time was actually two hours off of the accurate time. It was reset to the current time but authentication still did not work. I'm getting the debus now and will post them.</P></BODY></HTML> Thu, 22 Jan 2009 19:08:33 GMT https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149426#M959636 wdhowellsr 2009-01-22T19:08:33Z https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149427#M959638 <HTML><HEAD></HEAD><BODY><P>Actually the good news is that we can access the asa directly but apparently the connection between the asa and the active directory server is not working. When we tested authentication it says the server is unavailable.</P></BODY></HTML> Thu, 22 Jan 2009 19:49:29 GMT https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149427#M959638 wdhowellsr 2009-01-22T19:49:29Z https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149428#M959640 <HTML><HEAD></HEAD><BODY><P>OK, what is the authentication protocol in use? Can he ASA reach it via ping?</P></BODY></HTML> Thu, 22 Jan 2009 19:53:36 GMT https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149428#M959640 Ivan Martinon 2009-01-22T19:53:36Z https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149429#M959642 <HTML><HEAD></HEAD><BODY><P>We can ping the AD server from ASA. The client is using UDP, the AD Group is using RADIUS but when authenticating from within asa authentication server is unavailable.</P></BODY></HTML> Thu, 22 Jan 2009 20:37:46 GMT https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149429#M959642 wdhowellsr 2009-01-22T20:37:46Z https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149430#M959644 <HTML><HEAD></HEAD><BODY><P>So the protocol that you are using to communicate the ASA to the AD is radius, assuming via AIS, what do you see on the Event Viewer of your server?</P></BODY></HTML> Thu, 22 Jan 2009 21:29:10 GMT https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149430#M959644 Ivan Martinon 2009-01-22T21:29:10Z https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149431#M959646 <HTML><HEAD></HEAD><BODY><P>Sorry Typo, I meant IAS, do you see the authentication request on the server? run a debug radius all on the asa with the test, do you see any error there?</P></BODY></HTML> Thu, 22 Jan 2009 21:40:49 GMT https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149431#M959646 Ivan Martinon 2009-01-22T21:40:49Z https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149432#M959649 <HTML><HEAD></HEAD><BODY><P>Your going to love this. First I'm actually a contract programmer analyst developing a web reporting module for an insurance company. Second the IT department is limited and they ask my help ocassionaly.</P><P></P><P>Now for the good part.</P><P></P><P>The problem first started happening on Saturday afternoon. Obviously something changed at that point.</P><P></P><P>wait for it..</P><P></P><P></P><P>..</P><P></P><P></P><P></P><P>..</P><P></P><P></P><P>..</P><P></P><P></P><P>The Manager of IT decided to set the IAS server to dynamic IP and use the static IP on another server.</P><P></P><P>That ones a keeper.</P></BODY></HTML> Thu, 22 Jan 2009 23:38:17 GMT https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149432#M959649 wdhowellsr 2009-01-22T23:38:17Z https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149433#M959650 <HTML><HEAD></HEAD><BODY><P>Go figure.... it usually ends on a human mistake <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P></BODY></HTML> Thu, 22 Jan 2009 23:42:43 GMT https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149433#M959650 Ivan Martinon 2009-01-22T23:42:43Z https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149434#M959653 <HTML><HEAD></HEAD><BODY><P>Your going to love this. First I'm actually a contract programmer analyst developing a web reporting module for an insurance company. Second the IT department is limited and they ask my help ocassionaly.</P><P></P><P>Now for the good part.</P><P></P><P>The problem first started happening on Saturday afternoon. Obviously something changed at that point.</P><P></P><P>wait for it..</P><P></P><P></P><P>..</P><P></P><P></P><P></P><P>..</P><P></P><P></P><P>..</P><P></P><P></P><P>The Manager of IT decided to set the IAS server to dynamic IP and use the static IP on another server.</P><P></P><P>That ones a keeper.</P></BODY></HTML> Thu, 22 Jan 2009 23:50:52 GMT https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149434#M959653 wdhowellsr 2009-01-22T23:50:52Z https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149435#M959655 <HTML><HEAD></HEAD><BODY><P>The pointy haired boss strikes again. GRR!</P><P></P><P>He changed the IAS server to a new static IP on a different subnet and updated DNS to point to the new IP.</P><P></P><P>Even when the ASA is configured to point to the IP of the IAS server it fails authentication even though it can being pinged. </P><P></P><P>I have a gut feeling that there is DNS corruption somewhere and that while the ASA can ping the server IP it fails on authentication due to incorrect name resolution.</P><P></P><P>My simple question is if there is a way to hardcode server name, ip and subnet mask in the ASA so that no matter what he screws up on the network as long as we keep the IAS and ASA configured properly it would work.</P><P></P><P>P.S.</P><P></P><P>This is why I got out of network engineering.</P><P></P><P></P><P></P><P></P></BODY></HTML> Tue, 27 Jan 2009 17:23:36 GMT https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149435#M959655 wdhowellsr 2009-01-27T17:23:36Z https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149436#M959657 <HTML><HEAD></HEAD><BODY><P>Just a heads up. If you mess around with the DNS and IP addressees to much just remember to clear out your DNS cache and tables on your ASA.</P><P></P><P>Problem Solved,</P></BODY></HTML> Tue, 27 Jan 2009 22:49:09 GMT https://community.cisco.com/t5/network-security/asa-5540-not-authenticating/m-p/1149436#M959657 wdhowellsr 2009-01-27T22:49:09Z