Re: Peer Address Changed

wngwngwng · ‎08-26-2011

All,

I am currently having some problems on our 5520 ASAs. The problem is the IPSec VPN clients not being able to connect. We have had an issue twice this week where this happened. Earlier in the week we had folks not able to sign in, but some folks who were connected already stayed connected. The ASAs had been up for 200+ days and no changes have been made to it recently. At that point I had to reload the ASAs so users could start signing back in to it. Today we had a similar issue, but I didn’t have to reload the ASAs. The issue‘resolved’ itself. The VPN clients are getting Error code: 433 and the ASAs are getting Reason: Peer Address Changed when this occurs.

ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz

version 8.3.2

I'm worried that it could strike again. Any help is appreciated.

Thanks,

Bill

Collin Clark · ‎08-26-2011

Error Message    %ASA-5-713259: Group = groupname, Username = username, IP = peerIP, 
Session is being torn down. Reason: reason

Explanation The termination reason for the ISAKMP session appears, which occurs when the session is torn down through session management.

•groupname—The tunnel group of the session being terminated

•username—The username of the session being terminated

•peerIP—The peer address of the session being terminated

•reason—The RADIUS termination reason of the session being terminated. Reasons include the following:

- Port Preempted (simultaneous logins)

- Idle Timeout

- Max Time Exceeded

- Administrator Reset

Recommended Action None required.

Do you have any of the parameters set (in red)?

rohaverm · ‎08-26-2011

VPN Client Drops Connection Frequently on First Attempt or "Security VPN Connection terminated by tier. Reason 433." or "Secure VPN Connection terminated by Peer Reason 433:(Reason Not Specified by Peer)"

Problem

Cisco VPN client users might receive this error when they attempt the connection with the head end VPN device.

"VPN client drops connection frequently on first attempt" or "Security VPN Connection terminated by tier. Reason 433." or "Secure VPN Connection terminated by Peer Reason 433:(Reason Not Specified by Peer)" or "Attempted to assign network or broadcast IP address, removing (x.x.x.x) from pool"

Solution 1

The problem might be with the IP pool assignment either through ASA/PIX, Radius server, DHCP server or through Radius server acting as DHCP server. Use the debug crypto command in order to verify that the netmask and IP addresses are correct. Also, verify that the pool does not include the network address and the broadcast address. Radius servers must be able to assign the proper IP addresses to the clients.

Solution 2

This issues also occurs due to the failure of extended authentication. You must check the AAA server to troubleshoot this error. Checking the server authentication password on Server and client and reloading the AAA server might resolve this issue.

wngwngwng · ‎08-28-2011

Thanks for the responses. I typed in 'debug crypto ipsec' and got no results. Did I use the command properly?

Mohamed Sobair · ‎08-28-2011

Hello,

Please make sure the VPN clients pool doesnt contain the Network address OR the broadcast address. please post the VPN client pool ACL her if possible.

another point, what kind of operating system runs on the client side? if its windows, then what exactly the version ie: xp , vista , 7

Regards,

Mohamed

wngwngwng · ‎08-29-2011

The VPN clients pool does not contain the network or broadcast address. The operating system on the client side are XP SP3.

The ACLs are as follows.

access-list outside_access_in_1 extended permit udp any host x.x.x.x eq bootpc

access-list outside_access_in_1 extended permit udp any host x.x.x.x eq bootps

access-list outside_access_in_1 extended permit udp any any eq bootpc

access-list outside_access_in_1 extended permit udp any any eq bootps

access-list DHCP extended permit ip any host x.x.x.x

access-list DHCP extended permit ip host x.x.x.x any

access-list cap extended permit ip any host x.x.x.x

access-list cap extended permit ip host x.x.x.x any

access-list tac extended permit udp host y.y.y.y host x.x.x.x eq bootps

access-list tac extended permit udp host y.y.y.y host x.x.x.x eq bootpc

access-list tac extended permit udp host x.x.x.x host y.y.y.y eq bootps

access-list tac extended permit udp host x.x.x.x host y.y.y.y eq bootpc access-list outside_access_in_1 extended permit udp any host x.x.x.x eq bootpc
access-list outside_access_in_1 extended permit udp any host x.x.x.x eq bootps
access-list outside_access_in_1 extended permit udp any any eq bootpc
access-list outside_access_in_1 extended permit udp any any eq bootps
access-list DHCP extended permit ip any host x.x.x.x
access-list DHCP extended permit ip host x.x.x.x any
access-list cap extended permit ip any host x.x.x.x
access-list cap extended permit ip host x.x.x.x any
access-list tac extended permit udp host y.y.y.y host x.x.x.x eq bootps
access-list tac extended permit udp host y.y.y.y host x.x.x.x eq bootpc
access-list tac extended permit udp host x.x.x.x host y.y.y.y eq bootps
access-list tac extended permit udp host x.x.x.x host y.y.y.y eq bootpc

Gareth Gudger · ‎01-23-2014

Are you authenticating against a AAA server? I wonder if the problem is not really with the ASA itself, but issues connecting to your AAA server itself. Do you have more than one AAA server specified? If so, are they still valid?