I'm having an issue where clients seem to randomly not be assigned an IP address for their session. We're using an ACS to authenticate sessions to a back end RSA server and here's what I've found thus far
RSA - Shows a passcode acepted message for the user
ACS - Shows a succesful login for the user
ASA logs - Show a succesful login for the user except for when the session requests the IP address
ACS - Auths and provides the IP
ASA - Address Assignment Policy is set to "use authentication server"
I haven't been able to consistently re-create this scenario but it has happened to me at random times. User experience is that they can try to connect anywhere between 2-10 attempts before getting in and the logs always show that a valid IP was recieved from the ACS server.
Any help and/or recommendations would be appreciated.
Update to this item. I added a local IP pool and change the address assignment policy to pull from the local server then added the pool to the IPsec and Anyconnect profiles.Then changed the ACS config to not assign an address.
Not getting as many errors like this however they're still happening.