Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4898
Views
0
Helpful
8
Replies

ASA 5510 VPN Remote Access with Radius authentication issue

layardterrero
Level 1
Level 1

‎07-14-2010 07:12 AM - edited ‎02-21-2020 04:44 PM

Hello,

I have a Cisco ASA 5510 with a remote access vpn configuration. I authenticate the users using a Radius server.The problem is that only two simultaneous users can connect (ping) my local network, after the 3rd user authenticate the VPN it can't ping the local network, but the two first users to login can ping and connect to my local network.

I dont have limited users on the ASA, all the users can authenticate, i can't see anything relevant in the syslog log file, can it be the Radius Server? it's installed in an old server.

I will really appreciate any help.

This is a portion of my configuration file:

access-list vpn extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.255.0

ip ippool 10.0.0.1 - 10.0.0.254


aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (ethernet1) host 192.168.0.100


crypto ipsec transform-set myset1 esp-3des esp-sha-hmac

crypto dynamic-map dynmap1 20 set transform-set myset1

crypto map vpnmap 65535 ipsec-isakmp dynamic dynmap1
crypto map vpnmap interface ethernet0

crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp identity address
crypto isakmp enable ethernet0

group-policy RA-VPN internal
group-policy RA-VPN attributes
wins-server value 192.168.0.70
dns-server value 8.8.4.4
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn

tunnel-group RA-VPN general-attributes
address-pool ippool
authentication-server-group (ethernet0) partnerauth
default-group-policy RA-VPN
tunnel-group  ipsec-attributes
pre-shared-key *****

Regards,

Layard Terrero

Labels:
0 Helpful
8 Replies 8

kenrandrews
Level 1
Level 1

‎07-14-2010 08:12 AM

When the third user connects do they get a valid IP? If so can you do a packet capture and see how far the packets are getting, as in never leaving the PC or making into the network and then not back out?

I don't see why it would be the radius server because all it is doing is authentication, unless you have some Authorization set up as well. If you really want to rule it out, just setup some local users and log directly into the ASA.

0 Helpful

layardterrero
Level 1
Level 1
In response to kenrandrews

‎07-14-2010 08:18 AM

The 3rd user get a valid ip address, in the VPN client i see the transmitted packets encrypted, but no encrypted packets received, so i guees that the traffic is not returning back.

I don't understand why it happens just with the 3rd user, i think that if it was a network issue it should happen with every users. What do you think?

Regards

0 Helpful

kenrandrews
Level 1
Level 1
In response to layardterrero

‎07-14-2010 08:34 AM

Yeah that is puzzling me as well. I am assuming that the third user is not always the same user or computer, right? Also you don't have more than one user coming from the same NATed IP address correct?

Have you tried starting from scratch and using the VPN Wizard for a base config just to see if that works?

0 Helpful

layardterrero
Level 1
Level 1
In response to kenrandrews

‎07-14-2010 08:57 AM

That's really what im gonna do if i dont get the direct solution (the one that i really want), comming from scratch. The users come from different computers and ip addresses.

0 Helpful

kenrandrews
Level 1
Level 1
In response to layardterrero

‎07-14-2010 09:07 AM

Sorry I don't have anything else for you this seems like a fluke thing to me. What happens if you ping the 3rd user from inside the network?

The best way I can think of to track this down is just do packet captures to follow the packets through the network and figure out where they are dropping(look into the Capture command). That will give you at least a starting point to figure out where to start looking. You could also try the Packet Tracer tool inside the ASDM, but that is kind of limited in this case.

0 Helpful

layardterrero
Level 1
Level 1
In response to kenrandrews

‎07-14-2010 05:33 PM

Another idea?? :S tomorow i run the capture command

I will really appreciate any idea or help.

0 Helpful

layardterrero
Level 1
Level 1
In response to layardterrero

‎07-18-2010 07:05 PM

I configured it again with the NAT-T enabled, it solved the problem.

Regards,

0 Helpful

shivudu1984
Level 1
Level 1
In response to layardterrero

‎12-28-2010 11:02 AM

Hi

Can you post the config with NAT-T enabled?? Currently i am configuring RAVPN on Cisco 5510 with windows server 2008 R2 as my RADIUS server.

Thanks

0 Helpful
Customers Also Viewed These Support Documents