Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2240
Views
0
Helpful
1
Replies

VPN error %ASA-7-715042 - IKE received response of type to a request from the IP address utility

pghbrea
Level 1
Level 1

‎08-10-2012 01:13 PM

Hello,

I'm having an issue where clients seem to randomly not be assigned an IP address for their session. We're using an ACS to authenticate sessions to a back end RSA server and here's what I've found thus far

RSA - Shows a passcode acepted message for the user

ACS - Shows a succesful login for the user

ASA logs - Show a succesful login for the user except for when the session requests the IP address

Config parameters

ACS - Auths and provides the IP

ASA - Address Assignment Policy is set to "use authentication server"

VPN logs (important excerpts below)

Aug 10 2012 09:22:17: %ASA-7-734003: DAP: User ****, Addr x.x.x.x : Session Attribute aaa.cisco.ipaddress = x.x.x.x
Aug 10 2012 09:22:17: %ASA-7-715053: Group = ****, Username = ****, IP = x.x.x.x, MODE_CFG: Received request for IPV4 address!
Aug 10 2012 09:22:17: %ASA-7-715042: Group = **** , Username = ****, IP = x.x.x.x, IKE received response of type [] to a request from the IP address utility


Aug 10 2012 09:22:17: %ASA-3-713132: Group = **** , Username = ****, IP = x.x.x.x , Cannot obtain an IP address for remote peer


Aug 10 2012 09:22:17: %ASA-7-715065: Group = ****, Username = ****, IP = x.x.x.x, IKE TM V6 FSM error history (struct &0x7666e750)  <state>, <event>:  TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Aug 10 2012 09:22:17: %ASA-7-715065: Group = ****, Username = ****, IP = x.x.x.x , IKE AM Responder FSM error history (struct &0x76e389f0)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA


Aug 10 2012 09:22:17: %ASA-7-713906: Group = **** , Username = ****, IP = x.x.x.x, IKE SA AM:747faf8a terminating:  flags 0x0945c001, refcnt 0, tuncnt 0


Aug 10 2012 09:22:17: %ASA-7-713906: Group = **** , Username = ****, IP = x.x.x.x   , sending delete/delete with reason message


I haven't been able to consistently re-create this scenario but it has happened to me at random times. User experience is that they can try to connect anywhere between 2-10 attempts before getting in and the logs always show that a valid IP was recieved from the ACS server.

Any help and/or recommendations would be appreciated.
Labels:
0 Helpful
1 Reply 1

pghbrea
Level 1
Level 1

‎08-10-2012 02:23 PM

Update to this item. I added a local IP pool and change the address assignment policy to pull from the local server then added the pool to the IPsec and Anyconnect profiles.Then changed the ACS config to not assign an address.

Not getting as many errors like this however they're still happening.

0 Helpful
Customers Also Viewed These Support Documents