Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
0
Helpful
7
Replies

Users with same configurations - one has access not the other

msfch4geneva
Level 1
Level 1

‎06-11-2013 09:01 AM

Hi all,

I have a real mysterious problem.

On the same computer, installed with "Cisco VPN Client v5.0.07.0410", one user can connect to the VPN and not the other. Both users uses the same Dynamic Access Policies on our ASA firewall. We are certain that the users entered the correct name and password. But one can enter in our network and the other gets an "Authentication failed" message directly in the "User Authentication" window.

Has someone an idea to help us solve this problem ?

I provide you here a log file of the problem (IKE.log level 3), if you think you need an other, please ask.

In this log, I have the feeling that the cause (and maybe the solution) is around event 293, but......not sure.

Thanks in advance

Labels:
15362124-VPN-log.txt.zip
0 Helpful
7 Replies 7

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-13-2013 04:51 AM

Where do we have these users located?

Are we authenticating both the users against radius or other external authentication server or local database?

Can you get the "debug aaa authentication" for working and non-working account, if we have them on local db?

If they are on radius/ad, get the debug aaa authen and debug radius for both the attempt.

DEL_REASON_RESET_SADB: With this error message, I can only see that SAs are deleted by the client.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

msfch4geneva
Level 1
Level 1
In response to Jatin Katyal

‎06-13-2013 05:30 AM

Hello Jatin,

First I want to thank you for your interest.

Then the users are both located on an LDAP directory.

I will be happy to provide the logs you asked, but I should admit I don't understand where to find them. Are they in the client log ? It seems to me I only can log the followings: LOG.IKE, LOG.CM, LOG.CVPND, LOG.XAUTH, LOG.CERT, LOG.IPSEC, LOG.CLI, LOG.GUI, LOG.PPP, LOG.FIREWALL.

Thanks for your help

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to msfch4geneva

‎06-13-2013 06:13 AM

You need to collect debugs from the ASA/firewall.

Also, can you check the dial-in permission of non-working user on LDAP and event viewer messages when it failed the authentication.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Jatin Katyal

‎06-14-2013 02:19 AM

Did that clarify what we need exactly from the logs. If you still have any questions, let me know.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Abhishek Purohit
Level 1
Level 1

‎06-14-2013 07:30 AM

Hi Balthazer,

Please send us the following outputs from the ASA. Run a conditional debug for the specific user who is facing the issue.

debug                      crypto                      condition [username                  string]

debug cry isa sa 200

deb cry ips sa 200

Also, you have mentioned that you are using DAP policy. Can you share the DAP policy with us.

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269
0 Helpful

msfch4geneva
Level 1
Level 1

‎06-17-2013 05:49 AM

Hi Jatin Katyal,

Hi Abhishek Purohit,

And really thanks for your help.

We were able to determine the problem from your help (especially from the debug info). The problem was not in the ASA, nor in the VPN Client, but in our LDAP server.

Once again, thanks for your help

Best regards

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to msfch4geneva

‎07-16-2013 07:15 PM

Thanks for sharing.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents