cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1372
Views
19
Helpful
11
Replies

Unable to reconnect VPN on ASA over the internet

Hi,

I have ASA5540 running IOS 8.04-K8, users are able to connect VPN over the internet but unable to re-connect VPN when users disconnected abnormally (abnormally means they are not disconnecting VPN manually, while disconnecting manually no problem occur). ASA showing an active session of the disconnected user and user having reason 433 while re-connecting VPN.


Any suggestion and recommandation for this case.

Waiting for your repies.

Thanks a lot.

Regards,

Arsalan

1 Accepted Solution

Accepted Solutions

Hi,

under the tunnel-group, try reducing the keepalive interval.. Might help in detecting that the peer is down faster..

Best wishes,

Motaz

View solution in original post

11 Replies 11

Please correct IOS version, currently using IOS verion 8.23-k8.

Hi,

Please attach the "sh run" of the ASA

Regards,

Anisha

Hi Anisha,

Thank you for your repsonse, I will surely provide you by monday.

Regards,

Arsalan

Hi Anisha

Please find the attached file you requested.

Regards

Mirza Arsalan Baig

Hi,

You have the following configuration on the ASA:

tunnel-group KATS_DR type remote-access
tunnel-group KATS_DR general-attributes
authentication-server-group ACS
accounting-server-group ACS
default-group-policy DR_KATS
tunnel-group KATS_DR ipsec-attributes
pre-shared-key *****

group-policy DR_KATS internal
group-policy DR_KATS attributes
vpn-filter value drvpn-filter
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Any_Split

ip local pool pool 10.100.100.1-10.100.100.50 mask 255.255.0.0
ip local pool anypool 172.16.213.1-172.16.213.254 mask 255.255.255.0

The tunnel is group does not have a address-pool associated with it.. It will never work. Please associated any of the address-pools i.e. pool or anypool with the tunnel-group. Then you should be gud to go..

You are missing the following command:

tunnel-group KATS_DR general-attributes

     address-pool

Hope this helps.

Regards,

Anisha

P.S.:Please mark this thread as answered, if you feel your query is resolved. Do rate helpful posts.

Hi Anisha,

Thank you for your reply, actually we are assigning ip address from Cisco ACS from where user also aunthenticated that is why not using any ip pool. I have tried with ip pool but it did not work out. Currently I am not using ip pool but users are still able to connect, what I have diagnosed further if client's vpn tunnel went down (client vpn disconnected) but on ASA it show an active session (by command sh crypto iskamp/ipsec sa) and take 360 secs (5/6 minutes) to remove the session by itself.

I think ASA is not detecting its peer has been down, so when user try to re-connect vpn session so client get either "reason 433: Reason Not Specified by Peer" or "Reason 413: User authentication failed" even providing correct username password and in ACS logs showing an error "max sessions reached".

I hope you have an idea about the problem occuring. Please feel free to ask if you have any query.

Regards,

Arsalan

Hi,

under the tunnel-group, try reducing the keepalive interval.. Might help in detecting that the peer is down faster..

Best wishes,

Motaz

Hi Motaz,

Its done, Thank you Motaz for the solution, it worked out perfectly. I set the keepalive to 10, I was thinking the same but was unable to find where would keepalive will be put. I think by default keepalive value is 300 Secs and it did not appear in running-config. Please correct me if I am wrong.

I highly appreciate all of you for the answers and solution.

Take Care,

Best Regards,

Arsalan

Hi Arsalan,

My pleasure.. Yes, you are right, for the remote access the default value is 300, that's why it doesnt show.. Im glad I was the one to answer your question

Best wishes,

Motaz

Thank you once again, I have marked the answer correct and rated it as well.

Best Regards,

Arsalan

mkhraisa
Level 1
Level 1

Always a pleasure.. thanks

BR,

Motaz