Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
806
Views
6
Helpful
9
Replies

Radius over Site-to-Site VPN dont work

Chess Norris
Level 4
Level 4

‎12-08-2023 10:21 AM - edited ‎12-08-2023 10:26 AM

Hello,

I try to authenticate RA VPN users connecting to a FTD device. The radius requests are going over a L2L IPSec tunnel to an ISE server, but no radius packets reach the ISE server and the radius debug on the FTD  just show RADIUS_SENT:server response timeout. 

However, when I try with a radius test tool from a client that are behind the same IPSec tunnel and on the same network as the FTD, the radius packet reach the ISE server without any issues, so the problem only happens when the radius requests are sourcing directly from the FTD interface. 

Here is my radius server and RA VPN config in FTD

aaa-server ISE protocol radius
aaa-server ISE (inside) host 172.27.50.133
key *****
authentication-port 1812
accounting-port 1813
aaa-server ISE (inside) host 172.27.50.134
key *****
authentication-port 1812
accounting-port 1813

!

tunnel-group RA-POLICY2 type remote-access
tunnel-group RA-POLICY2 general-attributes
address-pool RA_POOL1
authentication-server-group ISE LOCAL
default-group-policy GP-RAPOLICY
tunnel-group RA-POLICY2 webvpn-attributes
group-alias RA-POLICY2 enable
!

management-access inside

!

 

The "management-access inside" command was added through flex-config. I remember that this command was required when sending radius request over an IPSec tunnel, but it still doesn't work unfortunately 

Would appreciate any help.

Thanks

/Chess

 

 

 

 

Labels:
9 Replies 9

marce1000
VIP
VIP

‎12-09-2023 12:45 AM

 

       - Checkout : https://community.spiceworks.com/topic/1955385-mtu-question

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Chess Norris
Level 4
Level 4
In response to marce1000

‎12-09-2023 12:57 AM - edited ‎12-09-2023 01:37 AM

Thanks. I have heard about problem with MTU and radius before, but wouldn't my radius request from my client fail as well if this was the issue? The client is on the same subnet as the firewall inside interface and I use a tool called NTRadPing to sent radius request directly from a windows client. 

Anyway, it's worth looking into and test, but were should I change the MTU size, on ISE or on the FTD's?

In the link you posted, they changed the frame MTU size to 1300 on the NPS server, which would be equal to my ISE server. Can I change the MTU size there?

Edit. I found out how to change the MTU size on the ISE interface and tried to set it to 1300, but no difference.

Thanks

/Chess

0 Helpful

MHM Cisco World
VIP
VIP

‎12-09-2023 01:25 AM

The issue is management-access not work as we want

Two workaround 

1-

A- add to acl of vpn 

Permit outside to ISE IP

B- use outside as source interface to connect to ISE

2- if this s2s vpn use only to connect to ISE 

Change it to VTI vpn and use VTI as source interface to ISE (not this solution need nonat' and if there remove it)

MHM

 

 

Chess Norris
Level 4
Level 4
In response to MHM Cisco World

‎12-09-2023 01:35 AM

Thanks for the suggustions. I would like to try workaround 1, but I use DHCP on the outside interface so if I need to include the outside interface address in the crypto ACL, that will probably not work because it will change every now and then. 

/Chess

MHM Cisco World
VIP
VIP
In response to Chess Norris

‎12-09-2023 01:39 AM

Check ipsec s2d vpn UP (since you use dynamic)

And dynamic IP can not config with acl of vpn

So workaround 2.

MHM

Chess Norris
Level 4
Level 4
In response to MHM Cisco World

‎12-09-2023 04:43 AM

Thanks, I will try to use routed mode VPN instead. I never configured routed VPN on FTD before so this will be a new experience

0 Helpful

MHM Cisco World
VIP
VIP
In response to Chess Norris

‎12-09-2023 04:53 AM

You are so welcome friend anytime 

Have a nice weekend 

MHM

Chess Norris
Level 4
Level 4
In response to MHM Cisco World

‎12-09-2023 05:05 AM

Thanks, have a great weekend!

/Chess

0 Helpful

Chess Norris
Level 4
Level 4
In response to Chess Norris

‎02-02-2024 05:25 AM - edited ‎02-02-2024 05:27 AM

Some updates.

I opened a TAC case regarding this issue and they could not really find a solution except adding the FTD's outside IP to the crypto ACL. This will work, but for me that is not a solution since I use a DHCP address and my ISP can change that to anything anytime, so impossible for me. 

I have another FPR-1010 and I decided to install an ASA image using the exact same configuration as the FTD. As soon as the IPSec tunnel came up, I was able to send radius packets, using the ASA's inside interface as source.

Talked with TAC again and they said they have similar cases, but they could not explain why this happens. If it's just random or a bug or something else. They will now escalate this case to the firewall team (it was handled by the VPN team previously). 

/Chess

 

0 Helpful
Customers Also Viewed These Support Documents