06-11-2013 09:01 AM
Hi all,
I have a real mysterious problem.
On the same computer, installed with "Cisco VPN Client v5.0.07.0410", one user can connect to the VPN and not the other. Both users uses the same Dynamic Access Policies on our ASA firewall. We are certain that the users entered the correct name and password. But one can enter in our network and the other gets an "Authentication failed" message directly in the "User Authentication" window.
Has someone an idea to help us solve this problem ?
I provide you here a log file of the problem (IKE.log level 3), if you think you need an other, please ask.
In this log, I have the feeling that the cause (and maybe the solution) is around event 293, but......not sure.
Thanks in advance
06-13-2013 04:51 AM
Where do we have these users located?
Are we authenticating both the users against radius or other external authentication server or local database?
Can you get the "debug aaa authentication" for working and non-working account, if we have them on local db?
If they are on radius/ad, get the debug aaa authen and debug radius for both the attempt.
DEL_REASON_RESET_SADB: With this error message, I can only see that SAs are deleted by the client.
Jatin Katyal
- Do rate helpful posts -
06-13-2013 05:30 AM
Hello Jatin,
First I want to thank you for your interest.
Then the users are both located on an LDAP directory.
I will be happy to provide the logs you asked, but I should admit I don't understand where to find them. Are they in the client log ? It seems to me I only can log the followings: LOG.IKE, LOG.CM, LOG.CVPND, LOG.XAUTH, LOG.CERT, LOG.IPSEC, LOG.CLI, LOG.GUI, LOG.PPP, LOG.FIREWALL.
Thanks for your help
06-13-2013 06:13 AM
You need to collect debugs from the ASA/firewall.
Also, can you check the dial-in permission of non-working user on LDAP and event viewer messages when it failed the authentication.
Jatin Katyal
- Do rate helpful posts -
06-14-2013 02:19 AM
Did that clarify what we need exactly from the logs. If you still have any questions, let me know.
Jatin Katyal
- Do rate helpful posts -
06-14-2013 07:30 AM
Hi Balthazer,
Please send us the following outputs from the ASA. Run a conditional debug for the specific user who is facing the issue.
debug crypto condition [username string]
debug cry isa sa 200
deb cry ips sa 200
Also, you have mentioned that you are using DAP policy. Can you share the DAP policy with us.
Regards,
Abhishek Purohit
CCIE-S- 35269
06-17-2013 05:49 AM
Hi Jatin Katyal,
Hi Abhishek Purohit,
And really thanks for your help.
We were able to determine the problem from your help (especially from the debug info). The problem was not in the ASA, nor in the VPN Client, but in our LDAP server.
Once again, thanks for your help
Best regards
07-16-2013 07:15 PM
Thanks for sharing.
~BR
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide