FTD - RA VPN authentication timeout

Romcisan · ‎01-29-2018

Hi,

I am using 5516-FTD-X connected to FMC. For Anyconnect VPN connection, RADIUS server is connected on remote network (via site-to-site tunnel).

Unfortunately when users try to log-in, authentication process fails (not reaching RADIUS at all).

I suspect the problem is, that FTD is not passing auth. requests through VPN tunnel.

On ASA platform I would use command "management-access inside".

But here, not sure... Any ideas? Or am I wrong completely.

Thanks 🙂

For example output:

> show aaa-server

Server Group: RADIUS
Server Protocol: radius
Server Address: 192.168.144.10
Server port: 1812(authentication), 1813(accounting)
Server status: ACTIVE, Last transaction at 12:30:49 UTC Mon Jan 29 2018
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 20
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 40
Number of accepts 0
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 20
Number of unrecognized responses 0

Mohammed al Baqari · ‎01-29-2018

Are you able to reach Radius server from FTD? On your radius server, verify
if you are getting authentication hits for anyconnect users to confirm if
its reaching or not.

Verify you routing, nat-exmept (if required) and crypto ACLs in FTD.

Romcisan · ‎01-30-2018

No. Radius server is not responding to ping (directly from FTD cli). When trying:

> test aaa-server authentication ...,

ERROR: Authentication Server not responding: No response from server

Radius server has no hits.

Access control policy, NAT exemption are set.

Basicaly I followed this guide: https://www.youtube.com/watch?v=wPJzx96f8GI

Romcisan · ‎02-06-2018

Any ideas? Is it necessary to add default route for management? I am not sure.

Thank you for any suggestions.