Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
3
Replies

restored ASA 5505, now VPN doesn't work

Go to solution
jeffrsonk
Level 1
Level 1

‎06-04-2013 01:39 PM - edited ‎03-11-2019 06:52 PM

Hi everyone,

A couple of weeks ago, one of our ASA 5505s failed, and Cisco TAC shipped out a replacement. I was on vacation, and my assistant worked with TAC to get our backed-up configuration restored to the new hardware. This backup was just a copy & paste of the "show start," rather than an export done from ASDM. Anyway, since I got back on vacation I was able to iron out all the wrinkles from the configuration restore, except one. The remote access VPN isn't quite working. This VPN is only used in emergencies, when I can't access that branch office's network via our WAN.

What's happening is that clients are getting "authentication failed" messages when connecting. On Windows, it's an error 691. The VPN is set to authentication against RADIUS (Microsoft IAS server). The IAS server reports that the connection and authentication is successful. AAA RADIUS authentication tests on the ASA succeed, as do authentication & authorization LDAP tests. Basically, everything was working fine before we swapped in the new hardware, and I've gone over the configuration with a fine-toothed comb to ensure nothing's changed -- but clearly, I'm missing something. The new ASA is otherwise operating perfectly. Any suggestions?

Thanks for your advice.

-j

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-04-2013 09:10 PM

Hello,

Can you provide the logs at the time of the authenticaiton problem on the ASA, As well as the debugs from the ASA:

Debug radius

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-04-2013 09:10 PM

Hello,

Can you provide the logs at the time of the authenticaiton problem on the ASA, As well as the debugs from the ASA:

Debug radius

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jeffrsonk
Level 1
Level 1
In response to Julio Carvajal

‎06-05-2013 01:27 PM

Found the answer in the syslog -- said that my dynamic access policy wasn't set to "continue." It was, but not for the AD group I was using to test the connection. So the config was fine, but I had forgotten while on vacation that this VPN was for admin accounts only. Head. Desk.

Thanks for the nudge -- sometimes I just need someone to point out the obvious!

-j

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jeffrsonk

‎06-06-2013 07:20 AM

Great to hear that

Please mark the question as answered,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card