Showing results for 
Search instead for 
Did you mean: 

Unable to assign IP addresses to VPN Clients with the Cisco Secure ACS authentication server, and the "Group User [USER] Cannot obtain an IP address for remote peer" error message appears in the event logs of Concentrator


Core issue

The error message appears when the VPN Client fails to receive an IP address from an Access Control Server (ACS), which is configured to assign IP addresses.


For a workaround,

It is recommended to reconfigure the settings in the VPN concentrator and the ip pools on the ACS:

  1. On the VPN Concentrator, choose Configuration > System > Address Management > Assignment > Use Address from Authentication Server > Apply in order to choose the authentication server option for IP address assignment.

  2. On the Cisco VPN 3000 Concentrator, choose Configuration > System > Servers > Accounting Servers.

  3. Add the details for the ACS in order to specify the ACS as an Accounting Server. This allows the ACS to see what IP addresses are in use and assign free IP addresses.

  4. In the ACS, go into either the User Setup or the Group Setup in order to provide the IP address.

  5. Choose VPN Client IP Address Assignment.

  6. Choose Assigned from AAA server pool. An IP address pool on the Authentication Authorization Accounting (AAA) server assigns the IP address.

Refer to the Setting IP Address Assignment Method for a User Group section of User Group Management for more information about the available options.

Refer to the IP Pools Server section of System Configuration: Advanced in order to configure the IP pools on the ACS.

Problem Type

Troubleshoot software feature

Product Family

Cisco Secure access control server

VPN - 3000 series concentrator

Content for Community-Ad