I have a Cisco ASA 5510 with a remote access vpn configuration. I authenticate the users using a Radius server.The problem is that only two simultaneous users can connect (ping) my local network, after the 3rd user authenticate the VPN it can't ping the local network, but the two first users to login can ping and connect to my local network.
I dont have limited users on the ASA, all the users can authenticate, i can't see anything relevant in the syslog log file, can it be the Radius Server? it's installed in an old server.
I will really appreciate any help.
This is a portion of my configuration file:
access-list vpn extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.255.0
ip ippool 10.0.0.1 - 10.0.0.254
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (ethernet1) host 192.168.0.100
crypto ipsec transform-set myset1 esp-3des esp-sha-hmac
crypto dynamic-map dynmap1 20 set transform-set myset1
crypto map vpnmap 65535 ipsec-isakmp dynamic dynmap1
crypto map vpnmap interface ethernet0
crypto isakmp policy 30
crypto isakmp identity address
crypto isakmp enable ethernet0
group-policy RA-VPN internal
group-policy RA-VPN attributes
wins-server value 192.168.0.70
dns-server value 188.8.131.52
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-network-list value vpn
tunnel-group RA-VPN general-attributes
authentication-server-group (ethernet0) partnerauth
When the third user connects do they get a valid IP? If so can you do a packet capture and see how far the packets are getting, as in never leaving the PC or making into the network and then not back out?
I don't see why it would be the radius server because all it is doing is authentication, unless you have some Authorization set up as well. If you really want to rule it out, just setup some local users and log directly into the ASA.
The 3rd user get a valid ip address, in the VPN client i see the transmitted packets encrypted, but no encrypted packets received, so i guees that the traffic is not returning back.
I don't understand why it happens just with the 3rd user, i think that if it was a network issue it should happen with every users. What do you think?
Yeah that is puzzling me as well. I am assuming that the third user is not always the same user or computer, right? Also you don't have more than one user coming from the same NATed IP address correct?
Have you tried starting from scratch and using the VPN Wizard for a base config just to see if that works?
That's really what im gonna do if i dont get the direct solution (the one that i really want), comming from scratch. The users come from different computers and ip addresses.
Sorry I don't have anything else for you this seems like a fluke thing to me. What happens if you ping the 3rd user from inside the network?
The best way I can think of to track this down is just do packet captures to follow the packets through the network and figure out where they are dropping(look into the Capture command). That will give you at least a starting point to figure out where to start looking. You could also try the Packet Tracer tool inside the ASDM, but that is kind of limited in this case.
Can you post the config with NAT-T enabled?? Currently i am configuring RAVPN on Cisco 5510 with windows server 2008 R2 as my RADIUS server.