Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1103
Views
0
Helpful
1
Replies

Clients are able to authenticate but can't get beyond that.

benrad
Level 1
Level 1

‎04-26-2010 11:11 AM

We are using a 3005 Concentrator and everything was working just dandy up until last week. VPN clients were connecting and authenticating using Kerberos/AD and they were able to access all resources on our connected networks. All client related connectivity stopped working a few days ago. Authentication, connection, etc. I first thought that it was authentication issue so I set up RADIUS authentication on my DC and that fixed the lack of authentication. However, now my clients can no longer connect to any resources on our networks. There's no error message on the client or the concentrator (that I can tell) and everything else is in place (Network lists are correct, route print on the client PC shows all the correct routes to our network). I can ping internal network resources from the concentrator so I don't think it's a firewall issue.

Here's what's in the log when a client connects:

152 04/25/2010 09:09:28.250 SEV=5 IKEDBG/64 RPT=1 209.X.X.177

IKE Peer included IKE fragmentation capability flags:

Main Mode:        True

Aggressive Mode:  False

154 04/25/2010 09:09:58.960 SEV=4 IKE/52 RPT=1 209.X.X.177

Group [Boston] User [BenRadlinski]

User (BenRadlinski) authenticated.

155 04/25/2010 09:09:59.000 SEV=4 IKE/131 RPT=1 209.X.X.177

Group [Boston] User [BenRadlinski]

Received unknown transaction mode attribute: 28684

157 04/25/2010 09:09:59.000 SEV=5 IKE/184 RPT=1 209.X.X.177

Group [Boston] User [BenRadlinski]

Client Type: WinNT

Client Application Version: 5.0.06.0160

159 04/25/2010 09:10:00.940 SEV=5 IKE/233 RPT=1

Filter added for IPSec/UDP - address 66.X.X.6, port 10000

160 04/25/2010 09:10:00.940 SEV=4 AUTH/22 RPT=3 209.X.X.177

User [BenRadlinski] Group [Boston] connected, Session Type: IPSec

161 04/25/2010 09:10:00.940 SEV=4 IKE/119 RPT=3 209.X.X.177

Group [Boston] User [BenRadlinski]

PHASE 1 COMPLETED

162 04/25/2010 09:10:00.960 SEV=5 IKE/25 RPT=1 209.X.X.177

Group [Boston] User [BenRadlinski]

Received remote Proxy Host data in ID Payload:

Address 192.168.105.50, Protocol 0, Port 0

165 04/25/2010 09:10:00.960 SEV=5 IKE/34 RPT=2 209.X.X.177

Group [Boston] User [BenRadlinski]

Received local IP Proxy Subnet data in ID Payload:

Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

168 04/25/2010 09:10:00.960 SEV=5 IKE/66 RPT=2 209.X.X.177

Group [Boston] User [BenRadlinski]

IKE Remote Peer configured for SA: ESP-3DES-MD5

170 04/25/2010 09:10:00.960 SEV=5 IKE/75 RPT=2 209.X.X.177

Group [Boston] User [BenRadlinski]

Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds

172 04/25/2010 09:10:00.990 SEV=4 IKE/49 RPT=12 209.X.X.177

Group [Boston] User [BenRadlinski]

Security negotiation complete for User (BenRadlinski)

Responder, Inbound SPI = 0x71d4c8c6, Outbound SPI = 0x06065ed8

175 04/25/2010 09:10:01.010 SEV=4 IKE/120 RPT=12 209.X.X.177

Group [Boston] User [BenRadlinski]

PHASE 2 COMPLETED (msgid=6bca78b0)

176 04/25/2010 09:10:01.010 SEV=4 NAC/27 RPT=1

NAC is disabled for peer - PUB_IP:209.X.X.177, PRV_IP:192.168.105.50


Any help would be appreciated.

Thanks.

Labels:
0 Helpful
1 Reply 1

benrad
Level 1
Level 1

‎04-27-2010 11:17 AM

This seems to be isolated to Windows 7 clients now. I recall seeing something about this elsewhere in the forum, so I'll search around.

Thanks,

Ben

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents