08-26-2011 08:48 AM
All,
I am currently having some problems on our 5520 ASAs. The problem is the IPSec VPN clients not being able to connect. We have had an issue twice this week where this happened. Earlier in the week we had folks not able to sign in, but some folks who were connected already stayed connected. The ASAs had been up for 200+ days and no changes have been made to it recently. At that point I had to reload the ASAs so users could start signing back in to it. Today we had a similar issue, but I didn’t have to reload the ASAs. The issue‘resolved’ itself. The VPN clients are getting Error code: 433 and the ASAs are getting Reason: Peer Address Changed when this occurs.
ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
version 8.3.2
I'm worried that it could strike again. Any help is appreciated.
Thanks,
Bill
08-26-2011 09:11 AM
Error Message %ASA-5-713259: Group = groupname, Username = username, IP = peerIP, Session is being torn down. Reason: reason
Explanation The termination reason for the ISAKMP session appears, which occurs when the session is torn down through session management.
•groupname—The tunnel group of the session being terminated
•username—The username of the session being terminated
•peerIP—The peer address of the session being terminated
•reason—The RADIUS termination reason of the session being terminated. Reasons include the following:
- Port Preempted (simultaneous logins)
- Idle Timeout
- Max Time Exceeded
- Administrator Reset
Recommended Action None required.
Do you have any of the parameters set (in red)?
08-26-2011 11:59 AM
Cisco VPN client users might receive this error when they attempt the connection with the head end VPN device.
"VPN client drops connection frequently on first attempt" or "Security VPN Connection terminated by tier. Reason 433." or "Secure VPN Connection terminated by Peer Reason 433:(Reason Not Specified by Peer)" or "Attempted to assign network or broadcast IP address, removing (x.x.x.x) from pool"
The problem might be with the IP pool assignment either through ASA/PIX, Radius server, DHCP server or through Radius server acting as DHCP server. Use the debug crypto command in order to verify that the netmask and IP addresses are correct. Also, verify that the pool does not include the network address and the broadcast address. Radius servers must be able to assign the proper IP addresses to the clients.
This issues also occurs due to the failure of extended authentication. You must check the AAA server to troubleshoot this error. Checking the server authentication password on Server and client and reloading the AAA server might resolve this issue.
08-28-2011 08:29 AM
Thanks for the responses. I typed in 'debug crypto ipsec' and got no results. Did I use the command properly?
08-28-2011 12:34 PM
Hello,
Please make sure the VPN clients pool doesnt contain the Network address OR the broadcast address. please post the VPN client pool ACL her if possible.
another point, what kind of operating system runs on the client side? if its windows, then what exactly the version ie: xp , vista , 7
Regards,
Mohamed
08-29-2011 05:33 AM
The VPN clients pool does not contain the network or broadcast address. The operating system on the client side are XP SP3.
The ACLs are as follows.
access-list outside_access_in_1 extended permit udp any host x.x.x.x eq bootpc
access-list outside_access_in_1 extended permit udp any host x.x.x.x eq bootps
access-list outside_access_in_1 extended permit udp any any eq bootpc
access-list outside_access_in_1 extended permit udp any any eq bootps
access-list DHCP extended permit ip any host x.x.x.x
access-list DHCP extended permit ip host x.x.x.x any
access-list cap extended permit ip any host x.x.x.x
access-list cap extended permit ip host x.x.x.x any
access-list tac extended permit udp host y.y.y.y host x.x.x.x eq bootps
access-list tac extended permit udp host y.y.y.y host x.x.x.x eq bootpc
access-list tac extended permit udp host x.x.x.x host y.y.y.y eq bootps
access-list tac extended permit udp host x.x.x.x host y.y.y.y eq bootpc access-list outside_access_in_1 extended permit udp any host x.x.x.x eq bootpc
access-list outside_access_in_1 extended permit udp any host x.x.x.x eq bootps
access-list outside_access_in_1 extended permit udp any any eq bootpc
access-list outside_access_in_1 extended permit udp any any eq bootps
access-list DHCP extended permit ip any host x.x.x.x
access-list DHCP extended permit ip host x.x.x.x any
access-list cap extended permit ip any host x.x.x.x
access-list cap extended permit ip host x.x.x.x any
access-list tac extended permit udp host y.y.y.y host x.x.x.x eq bootps
access-list tac extended permit udp host y.y.y.y host x.x.x.x eq bootpc
access-list tac extended permit udp host x.x.x.x host y.y.y.y eq bootps
access-list tac extended permit udp host x.x.x.x host y.y.y.y eq bootpc
01-23-2014 06:45 AM
Are you authenticating against a AAA server? I wonder if the problem is not really with the ASA itself, but issues connecting to your AAA server itself. Do you have more than one AAA server specified? If so, are they still valid?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide