05-12-2011 07:21 AM
Hi
I manage a VPN 300 concentrator which has been happily working for several years without any problems. All users are part of the same group and authenticate to an RSA server. We recently moved from RSA authentication manager 6.1 to RSA authentication manager 7.1. Everthing continued working fine for several weeks, then at the beginning of this week we started getting users intermittently failing to connect to the VPN. I'm not sure if this problem relates to our new RSA server, but we have other network devices which authenticate to it with no problem so I guess the problem is with the VPN concentrator itself.
When users fail they just get a generic "Reason 427 connection terminated by peer" error message. The live event log shows "group = vpn, status = Not-in-service" when their connection fails. Other times they connect normally and no error messages are displayed. There seems to be no real pattern, sometimes your connection fails but if you keep trying you will eventually get in [however it can take many attempts over an hour or two before you succeed, or you may get in straight away with no problem].
I dont believe its a network problem, as I have run continuous pings to the concentrator and the RSA server whilst users are experiencing these problems and there are no drops.
The RSA servers authentication monitor always shows that the user has successfully authenticated, whether the users connection actually succeeds or not. I am tempted to just reboot the concentrator, but we have site-to-site VPN tunnels connected off it and I'm a little concerned that if it is faulty it may not come back up at all.
Has anyone come across this problems before?
Thanks in advance
Solved! Go to Solution.
05-18-2011 10:54 AM
Hi Graham,
my guess is that the new RSA server is slower to respond, causing the vpn3000 to timeout sometimes - this would account for all the symptoms (the intermitten nature, the not-in-service, the success logs on the server).
I don't have a vpn3k at hand to check, but I think in the aaa server config where you define the ip address etc. of the RSA server, you can also define a timeout value - see if increasing that value helps.
hth
Herbert
05-18-2011 10:54 AM
Hi Graham,
my guess is that the new RSA server is slower to respond, causing the vpn3000 to timeout sometimes - this would account for all the symptoms (the intermitten nature, the not-in-service, the success logs on the server).
I don't have a vpn3k at hand to check, but I think in the aaa server config where you define the ip address etc. of the RSA server, you can also define a timeout value - see if increasing that value helps.
hth
Herbert
05-25-2011 09:09 AM
Hi Herbert
I have increased the timeout value as you suggested and the problem seems to be resolved! Thanks very much for your help!
Graham
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide