11-08-2010 10:48 AM
I am setting up VPN on an ASA 5520 running version 8.2(3). I used the wizard to get it setup. I have two ACS servers located on different subnets than my ASA across an MPLS network. I am able to ping other servers on both these subnets from my ASA. Ping is disabled on the ACS boxes themselves. When I attempt to VPN in, I get a message on the ASA that states
Routing failed to located next hop for TCP from identity: IPADDRESS/63050 to inside: IPADDRESS/49
Any help would be greatly appreciated. Thanks,
Josh
Solved! Go to Solution.
11-08-2010 02:28 PM
Hi,
You're trying to VPN in and authenticate against the ACS?
First, verify that the ASA is communicating correctly with the ACS and that the user is valid with the command
test aaa auth cisco host 1.1.1.1 user cisco pass cisco
Change:
cisco --> aaa server group name
1.1.1.1 ---> IP of the ACS
cisco/cisco --> user credentials
If you get a succesful response, then the ASA is authenticating the client fine and we look into the VPN configuration.
If you get a bad response, there's a communication issue between the ASA and the ACS.
Federico.
11-08-2010 02:28 PM
Hi,
You're trying to VPN in and authenticate against the ACS?
First, verify that the ASA is communicating correctly with the ACS and that the user is valid with the command
test aaa auth cisco host 1.1.1.1 user cisco pass cisco
Change:
cisco --> aaa server group name
1.1.1.1 ---> IP of the ACS
cisco/cisco --> user credentials
If you get a succesful response, then the ASA is authenticating the client fine and we look into the VPN configuration.
If you get a bad response, there's a communication issue between the ASA and the ACS.
Federico.
11-09-2010 06:00 AM
thanks for your response. I got an Authentication Successful message when trying this.
I have seen others with the same issue regarding the crypto map configuration. I don't know much about them but think this might be where my problem is. I used the wizard to create my VPN, but maybe the crypto map I need to do manually? Let me know if you agree and/or have any insight to this. Thanks,
Josh
11-10-2010 09:00 AM
You can create the entire configuration via ASDM or CLI.
If you get authentication succesful from the ASA, then all the communication between the ASA and ACS is fine.
Are you still getting the error when coming from the VNP client?
If so... do you have the authentication set as local for the VPN client connections?
Federico.
11-12-2010 09:27 AM
Sorry was away for a couple days. So today I tested again and it all worked fine! Very odd, but I'll take it.
11-12-2010 09:28 AM
thanks for your help on this. I appreciated the clear instructions on that test procedure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide