04-22-2011 04:38 AM
Hi,
I have ASA5540 running IOS 8.04-K8, users are able to connect VPN over the internet but unable to re-connect VPN when users disconnected abnormally (abnormally means they are not disconnecting VPN manually, while disconnecting manually no problem occur). ASA showing an active session of the disconnected user and user having reason 433 while re-connecting VPN.
Any suggestion and recommandation for this case.
Waiting for your repies.
Thanks a lot.
Regards,
Arsalan
Solved! Go to Solution.
04-26-2011 11:39 AM
Hi,
under the tunnel-group, try reducing the keepalive interval.. Might help in detecting that the peer is down faster..
Best wishes,
Motaz
04-22-2011 05:07 AM
Please correct IOS version, currently using IOS verion 8.23-k8.
04-22-2011 07:01 AM
Hi,
Please attach the "sh run" of the ASA
Regards,
Anisha
04-24-2011 06:30 AM
Hi Anisha,
Thank you for your repsonse, I will surely provide you by monday.
Regards,
Arsalan
04-24-2011 11:08 PM
04-25-2011 08:33 AM
Hi,
You have the following configuration on the ASA:
tunnel-group KATS_DR type remote-access
tunnel-group KATS_DR general-attributes
authentication-server-group ACS
accounting-server-group ACS
default-group-policy DR_KATS
tunnel-group KATS_DR ipsec-attributes
pre-shared-key *****
group-policy DR_KATS internal
group-policy DR_KATS attributes
vpn-filter value drvpn-filter
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Any_Split
ip local pool pool 10.100.100.1-10.100.100.50 mask 255.255.0.0
ip local pool anypool 172.16.213.1-172.16.213.254 mask 255.255.255.0
The tunnel is group does not have a address-pool associated with it.. It will never work. Please associated any of the address-pools i.e. pool or anypool with the tunnel-group. Then you should be gud to go..
You are missing the following command:
tunnel-group KATS_DR general-attributes
address-pool
Hope this helps.
Regards,
Anisha
P.S.:Please mark this thread as answered, if you feel your query is resolved. Do rate helpful posts.
04-26-2011 01:05 AM
Hi Anisha,
Thank you for your reply, actually we are assigning ip address from Cisco ACS from where user also aunthenticated that is why not using any ip pool. I have tried with ip pool but it did not work out. Currently I am not using ip pool but users are still able to connect, what I have diagnosed further if client's vpn tunnel went down (client vpn disconnected) but on ASA it show an active session (by command sh crypto iskamp/ipsec sa) and take 360 secs (5/6 minutes) to remove the session by itself.
I think ASA is not detecting its peer has been down, so when user try to re-connect vpn session so client get either "reason 433: Reason Not Specified by Peer" or "Reason 413: User authentication failed" even providing correct username password and in ACS logs showing an error "max sessions reached".
I hope you have an idea about the problem occuring. Please feel free to ask if you have any query.
Regards,
Arsalan
04-26-2011 11:39 AM
Hi,
under the tunnel-group, try reducing the keepalive interval.. Might help in detecting that the peer is down faster..
Best wishes,
Motaz
04-27-2011 04:55 AM
Hi Motaz,
Its done, Thank you Motaz for the solution, it worked out perfectly. I set the keepalive to 10, I was thinking the same but was unable to find where would keepalive will be put. I think by default keepalive value is 300 Secs and it did not appear in running-config. Please correct me if I am wrong.
I highly appreciate all of you for the answers and solution.
Take Care,
Best Regards,
Arsalan
04-27-2011 05:19 AM
Hi Arsalan,
My pleasure.. Yes, you are right, for the remote access the default value is 300, that's why it doesnt show.. Im glad I was the one to answer your question
Best wishes,
Motaz
04-28-2011 02:34 AM
Thank you once again, I have marked the answer correct and rated it as well.
Best Regards,
Arsalan
04-28-2011 02:39 AM
Always a pleasure.. thanks
BR,
Motaz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide