08-10-2012 01:13 PM
Hello,
I'm having an issue where clients seem to randomly not be assigned an IP address for their session. We're using an ACS to authenticate sessions to a back end RSA server and here's what I've found thus far
RSA - Shows a passcode acepted message for the user
ACS - Shows a succesful login for the user
ASA logs - Show a succesful login for the user except for when the session requests the IP address
Config parameters
ACS - Auths and provides the IP
ASA - Address Assignment Policy is set to "use authentication server"
VPN logs (important excerpts below)
Aug 10 2012 09:22:17: %ASA-7-734003: DAP: User ****, Addr x.x.x.x : Session Attribute aaa.cisco.ipaddress = x.x.x.xAug 10 2012 09:22:17: %ASA-7-715053: Group = ****, Username = ****, IP = x.x.x.x, MODE_CFG: Received request for IPV4 address!Aug 10 2012 09:22:17: %ASA-7-715042: Group = **** , Username = ****, IP = x.x.x.x, IKE received response of type [] to a request from the IP address utilityAug 10 2012 09:22:17: %ASA-3-713132: Group = **** , Username = ****, IP = x.x.x.x , Cannot obtain an IP address for remote peerAug 10 2012 09:22:17: %ASA-7-715065: Group = ****, Username = ****, IP = x.x.x.x, IKE TM V6 FSM error history (struct &0x7666e750) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEventAug 10 2012 09:22:17: %ASA-7-715065: Group = ****, Username = ****, IP = x.x.x.x , IKE AM Responder FSM error history (struct &0x76e389f0) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SAAug 10 2012 09:22:17: %ASA-7-713906: Group = **** , Username = ****, IP = x.x.x.x, IKE SA AM:747faf8a terminating: flags 0x0945c001, refcnt 0, tuncnt 0Aug 10 2012 09:22:17: %ASA-7-713906: Group = **** , Username = ****, IP = x.x.x.x , sending delete/delete with reason message
I haven't been able to consistently re-create this scenario but it has happened to me at random times. User experience is that they can try to connect anywhere between 2-10 attempts before getting in and the logs always show that a valid IP was recieved from the ACS server.
Any help and/or recommendations would be appreciated.
08-10-2012 02:23 PM
Update to this item. I added a local IP pool and change the address assignment policy to pull from the local server then added the pool to the IPsec and Anyconnect profiles.Then changed the ACS config to not assign an address.
Not getting as many errors like this however they're still happening.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide