Can we create multiple l2tp/ipsec vpn sessions from 1 IP?

tanzeus129 · ‎01-18-2011

I have a question.

Cisco asa5520 endpoint @ HQ

remote access vpn setup

clients are Microsoft and/or Cisco l2tp/ipsec with computer certificates

----

dilemma ..

When employees travel together. example hotel, train or partner. They can only open 1 VPN session at a time from the remote 1 IP.

When one session is successful, no other sessions can be opened.

Anybody know if it is possible to by pass this?

NAT-t is enabled

manish arora · ‎01-18-2011

Post the Group policy associated with that Tunnel Group.

check for vpn-simultaneous-logins allowed under the Group policy.

Manish

tanzeus129 · ‎01-18-2011

vpn-simultaneous-logins allowed

is for many people logging in with the same id not from the same IP ...am i correct"?

manish arora · ‎01-18-2011

Examples

The following example shows how to allow a maximum of 4 simultaneous logins for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# vpn-simultaneous-logins 4

Note: When you log in using the same user account from a different PC, the current session (the connection established from another PC using the same user account) is terminated, and the new session is established. This is the default behaviour and is independent to VPN simultaneous logins.

Manish

tanzeus129 · ‎01-18-2011

that is to accept 4 sessions for that specific policy

I do not want to put a limit on that

eg

suppose I have 10 users staying at a hotel A which has a public IP

1.2.3.4

they want to connect to my HQ (cisco 5520 asa) at public IP

9.8.7.6

Once 1 user that is being NAT' ted behind 1.2.3.4 connects, the rest (other 9) can't connect.

manish arora · ‎01-18-2011

Ok, Tan that is why is asked you , that do you have anything like vpn-logins configured on your

Group policy to which these users connect ??

Paste remote vpn configuration from your ASA, so that we can look at the configuration. Please remove your public ip's and passwords before pasting it here.

also paste output of this :-

sh run | inc crypto isakmp nat-t

Manish

tanzeus129 · ‎01-18-2011

well I am asking. Is it possible? What command parameter can make this work?'

My config is irrelevant at this point.

manish arora · ‎01-18-2011

All you need is crypto iskamp nat-tra 30 in the global mode. I have around 20 users who use same wireless network to connect to the vpn asa and I have not seen any issues.

Manish

tanzeus129 · ‎01-24-2011

ASA# sh run | inc crypto isakmp nat-t

crypto isakmp nat-traversal 33

manish arora · ‎01-24-2011

Tan,

Since you already have Nat-t enabled and not using any login limitation on the group policy, then please post any error messages from the client side as well as Error logs generated by your ASA. if possible get debug crypto iskmap 128 / ipsec 128 as well when recreating the issues. I did missed earlier that you were using certificate for authentication so errors logs are must.

Thanks

Manish

tanzeus129 · ‎03-07-2011

I am using a certificate to authenticate and then AD username and password.

tanzeus129 · ‎03-08-2011

I am thinking if this issue is due to the l2tp over IPSec over nat-t.

I do not encounter the same issue with ipsec over nat-t.