Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1206
Views
0
Helpful
3
Replies

FLEXVPN with ACS - Client got ACS IP instead of Pool - Bug?

Go to solution
datacenter
Level 1
Level 1

‎04-12-2018 11:28 AM - edited ‎03-12-2019 05:11 AM

Dear all,

 

I'm trying to configure a flexvpn in a 4351 router and a strange behavior is happening.

When the VPN is established, the client gets the ACS IP, in this case, 10.1.1.198. It looks like a Bug.

Pool is configured.

 

May someone help me?

Thank you.

 

VPN configuration attached.

 

 

 

Labels:
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
datacenter
Level 1
Level 1
In response to datacenter

‎04-16-2018 11:13 AM

The problem was in the ACS.

It was occurring, because the authorization profile had a attribute "Framed-IP-Address" with 10.1.1.198. That's weird, because who put it there was a engineer from Cisco TAC last year. And this configurations was working from that time.

 

Thank you.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎04-12-2018 01:27 PM

Hi,

 

The issue does sound bizarre, not something I've seen.

 

I've had a quick look at the configuration. Although you've got authorization defined for radius group ACS in the IKEv2 profile you are using a local authorization method list "test-auth", this method list does not instruct the virtual-template which source IP address to use. The configuration of the virtual-template is set to "no ip address", in my experience this works if the AAA server then instructs the router which loopback to use depending on authorisation.

 

In short, I think if you just define a local loopback interface with IP address and then configure the virtual-template with "ip unnumbered loopback X" this should work.

 

HTH

0 Helpful

Go to solution
datacenter
Level 1
Level 1
In response to Rob Ingram

‎04-12-2018 06:13 PM

Thanks for responding.

 

It didn't work. I tried to put it:

 

interface Loopback200
 ip address 10.96.200.254 255.255.255.0

 

interface Virtual-Template20 type tunnel
 ip vrf forwarding INET1
 ip unnumbered Loopback200
 tunnel mode ipsec ipv4
 tunnel vrf INET1
 tunnel protection ipsec profile profile1

 

any suggestions?

 

0 Helpful

Go to solution
datacenter
Level 1
Level 1
In response to datacenter

‎04-16-2018 11:13 AM

The problem was in the ACS.

It was occurring, because the authorization profile had a attribute "Framed-IP-Address" with 10.1.1.198. That's weird, because who put it there was a engineer from Cisco TAC last year. And this configurations was working from that time.

 

Thank you.

0 Helpful
Customers Also Viewed These Support Documents