Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1284
Views
5
Helpful
5
Replies

ASA 5520 to ACS

Go to solution
joshthek1
Level 1
Level 1

‎11-08-2010 10:48 AM

I am setting up VPN on an ASA 5520 running version 8.2(3).  I used the wizard to get it setup.  I have two ACS servers located on different subnets than my ASA across an MPLS network.  I am able to ping other servers on both these subnets from my ASA.  Ping is disabled on the ACS boxes themselves.  When I attempt to VPN in, I get a message on the ASA that states

Routing failed to located next hop for TCP from identity: IPADDRESS/63050 to inside: IPADDRESS/49

Any help would be greatly appreciated.  Thanks,

Josh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-08-2010 02:28 PM

Hi,

You're trying to VPN in and authenticate against the ACS?

First, verify that the ASA is communicating correctly with the ACS and that the user is valid with the command

test aaa auth cisco host 1.1.1.1 user cisco pass cisco

Change:

cisco --> aaa server group name

1.1.1.1 ---> IP of the ACS

cisco/cisco --> user credentials

If you get a succesful response, then the ASA is authenticating the client fine and we look into the VPN configuration.

If you get a bad response, there's a communication issue between the ASA and the ACS.

Federico.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-08-2010 02:28 PM

Hi,

You're trying to VPN in and authenticate against the ACS?

First, verify that the ASA is communicating correctly with the ACS and that the user is valid with the command

test aaa auth cisco host 1.1.1.1 user cisco pass cisco

Change:

cisco --> aaa server group name

1.1.1.1 ---> IP of the ACS

cisco/cisco --> user credentials

If you get a succesful response, then the ASA is authenticating the client fine and we look into the VPN configuration.

If you get a bad response, there's a communication issue between the ASA and the ACS.

Federico.

0 Helpful

Go to solution
joshthek1
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-09-2010 06:00 AM

thanks for your response.  I got an Authentication Successful message when trying this.

I have seen others with the same issue regarding the crypto map configuration.  I don't know much about them but think this might be where my problem is.  I used the wizard to create my VPN, but maybe the crypto map I need to do manually?  Let me know if you agree and/or have any insight to this.  Thanks,

Josh

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to joshthek1

‎11-10-2010 09:00 AM

You can create the entire configuration via ASDM or CLI.

If you get authentication succesful from the ASA, then all the communication between the ASA and ACS is fine.

Are you still getting the error when coming from the VNP client?

If so... do you have the authentication set as local for the VPN client connections?

Federico.

Go to solution
joshthek1
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-12-2010 09:27 AM

Sorry was away for a couple days.  So today I tested again and it all worked fine!  Very odd, but I'll take it.

0 Helpful

Go to solution
joshthek1
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-12-2010 09:28 AM

thanks for your help on this.  I appreciated the clear instructions on that test procedure.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents