Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
0
Helpful
2
Replies

VPN 3000 concentrator intermittent login failures

Go to solution
graham robinson
Level 1
Level 1

‎05-12-2011 07:21 AM

Hi

I manage a VPN 300 concentrator which has been happily working for several years without any problems. All users are part of the same group and authenticate to an RSA server. We recently moved from RSA authentication manager 6.1 to RSA authentication manager 7.1. Everthing continued working fine for several weeks, then at the beginning of this week we started getting users intermittently failing to connect to the VPN. I'm not sure if this problem relates to our new RSA server, but we have other network devices which authenticate to it with no problem so I guess the problem is with the VPN concentrator itself.

When users fail they just get a generic "Reason 427 connection terminated by peer" error message. The live event log shows "group = vpn, status = Not-in-service" when their connection fails. Other times they connect normally and no error messages are displayed. There seems to be no real pattern, sometimes your connection fails but if you keep trying you will eventually get in [however it can take many attempts over an hour or two before you succeed, or you may get in straight away with no problem].

I dont believe its a network problem, as I have run continuous pings to the concentrator and the RSA server whilst users are experiencing these problems and there are no drops.

The RSA servers authentication monitor always shows that the user has successfully authenticated, whether the users connection actually succeeds or not. I am tempted to just reboot the concentrator, but we have site-to-site VPN tunnels connected off it and I'm a little concerned that if it is faulty it may not come back up at all.

Has anyone come across this problems before?

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎05-18-2011 10:54 AM

Hi Graham,

my guess is that the new RSA server is slower to respond, causing the vpn3000 to timeout sometimes - this would account for all the symptoms (the intermitten nature, the not-in-service, the success logs on the server).

I don't have a vpn3k at hand to check, but I think in the aaa server config where you define the ip address etc. of the RSA server, you can also define a timeout value - see if increasing that value helps.

hth

Herbert

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎05-18-2011 10:54 AM

Hi Graham,

my guess is that the new RSA server is slower to respond, causing the vpn3000 to timeout sometimes - this would account for all the symptoms (the intermitten nature, the not-in-service, the success logs on the server).

I don't have a vpn3k at hand to check, but I think in the aaa server config where you define the ip address etc. of the RSA server, you can also define a timeout value - see if increasing that value helps.

hth

Herbert

0 Helpful

Go to solution
graham robinson
Level 1
Level 1
In response to Herbert Baerten

‎05-25-2011 09:09 AM

Hi Herbert

I have increased the timeout value as you suggested and the problem seems to be resolved! Thanks very much for your help!

Graham

0 Helpful
Customers Also Viewed These Support Documents