cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
839
Views
0
Helpful
3
Replies

FLEXVPN with ACS - Client got ACS IP instead of Pool - Bug?

datacenter
Level 1
Level 1

Dear all,

 

I'm trying to configure a flexvpn in a 4351 router and a strange behavior is happening.

When the VPN is established, the client gets the ACS IP, in this case, 10.1.1.198. It looks like a Bug.

Pool is configured.

 

May someone help me?

Thank you.

 

VPN configuration attached.

 

 

 

1 Accepted Solution

Accepted Solutions

The problem was in the ACS.

It was occurring, because the authorization profile had a attribute "Framed-IP-Address" with 10.1.1.198. That's weird, because who put it there was a engineer from Cisco TAC last year. And this configurations was working from that time.

 

Thank you.

View solution in original post

3 Replies 3

Hi,

 

The issue does sound bizarre, not something I've seen.

 

I've had a quick look at the configuration. Although you've got authorization defined for radius group ACS in the IKEv2 profile you are using a local authorization method list "test-auth", this method list does not instruct the virtual-template which source IP address to use. The configuration of the virtual-template is set to "no ip address", in my experience this works if the AAA server then instructs the router which loopback to use depending on authorisation.

 

In short, I think if you just define a local loopback interface with IP address and then configure the virtual-template with "ip unnumbered loopback X" this should work.

 

HTH

Thanks for responding.

 

It didn't work. I tried to put it:

 

interface Loopback200
 ip address 10.96.200.254 255.255.255.0

 

interface Virtual-Template20 type tunnel
 ip vrf forwarding INET1
 ip unnumbered Loopback200
 tunnel mode ipsec ipv4
 tunnel vrf INET1
 tunnel protection ipsec profile profile1

 

any suggestions?

 

The problem was in the ACS.

It was occurring, because the authorization profile had a attribute "Framed-IP-Address" with 10.1.1.198. That's weird, because who put it there was a engineer from Cisco TAC last year. And this configurations was working from that time.

 

Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: