Cisco VPN Authention : Reason - 413

Hi
I need some help regarding cisco vpn client authentication. We have a vpn concentrator and a cisco acs. This is how it is done... The user database is created on the cisco acs and the group names are created on the vpn concentrator.
This is what happens....
When I connect to the vpn concentrator using the cisco client, it gets authenticated and I am asked to enter the username and password. When i enter the username and password which has been created on the cisco acs, I get the following error:

Secure VPN Client terminated locally by the client.
Reason 413: User authentication failed.

Can you tell me if i need to change any settings on the cisco acs????

Note : The test between the vpn concentrator and the cisco acs is successful. There are 2 authentication servers for the time being. (1) Internal VPN database (Placed TOP) and (2) Radius Server(Cisco ACS- Placed Second).

Please advice
Thanks
Merlin_RajaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

koudryCommented:
Hi Merlin_Raja:

This error is likely to be related to wrong username, password or authentication group.  

If you are using a security token, please make sure that the associations of the token number, authentication group, shared password, are consistent across the authentication servers.

You may also be using a local user name as opposed to a user name as configured on the authentication servers.

I am not sure if the URLs below will be of any use:

http://www.chicagotech.net/cisco/cisco413.htm
http://www.uoguelph.ca/ccs/internet/faq/index.cfm?fuseaction=faq.showfaq&faqid=37#142
Koudry
0
Merlin_RajaAuthor Commented:
Hi Koudry
I can tell you for sure that the username and password is correct becuase if i enter a wrong username and password, it stills prompts me to enter a valid username and password.
But can you guide me through as how to configure the user in the right authentication group?

The usernames and local to the ACS box. I have created a group called TEST and placed the user "USER1" into that group. But i dont know if I have configured the group properly.

And besides, since I am connecting it with a vpn comcentrator, i dont know if the settings on the vpn concentrator and the acs needs to be the same.

Please advice

Thanks
0
koudryCommented:
Hi Merlin_Raja,

I found this the following article useful, although the software and components are not exactly the same.  It does explain the concepts and basics to get things going.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml#configuringthemicrosoftserverwithias

This article is from one of the EE questions:

http://www.experts-exchange.com/Networking/Protocols/Q_22893036.html

The following Cisco document may also help:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094a03.shtml

While you are looking at those articles, I will try and see if I can pull some sample config together.

Good luck.

Koudry
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Merlin_RajaAuthor Commented:
Thankyou Koudry
Ill look at these documents and get back to you.
And i have one more issue. I triedto upgrade the acs box from 4.1.1.23 to 4.1.4.13 and after a very long time it failed. Is there any work around for this?? :(
0
koudryCommented:
Hi Merlin_Raja:
Do you mean that the new software release 4.1.4.13  failed to load when you put it on the device?
If that is the case, it is likely that you have a corrupted software. This happens sometimes when you are trafferring from one storage to the other, especially from your windows pc to a UNIX box.
The ACS would expect a binary image file, so if it is not, i.e. if it is in ASCII, then the device will not take it.  
You need to check that you have the correct size for the file, i.e. right-click on the file on your windows explorer and check for the size in bytes.  It must be exactly the same size as specified on the Cisco web site.  
In the file attached below, the image size is 23,826,608 bytes.
If you have a TFTP server which is a UNIX box and you download your image file onto your c:\ drive, on your FTP client used to access the TFTP server, you need to make sure you type BIN (for binary) before the PUT command to get the file from your c:\ drive to the UNIX TFTP server. Otherwise you image file is put on the TFTP server in an ASCII format and this won't work on the network device.
If the problem is not what I have just described, please provide further information.
Thanks,
Koudry

CheckImageFIlesize.doc
0
Merlin_RajaAuthor Commented:
your good at this i guess... :)))

it is a software upgrade. The reason for the upgrade was because, ACS 1113 cannot put in a static IP and you need to overcome this by a patch. The current version is 4.1.1.23 and I thought I could upgrade it to 4.1.4.13 to solve this issue.

But now after you have mentioned the file size issue, I need to check this out. I did get another link on the site regarding this issue.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00808d9199.shtml#sok

Im not sure if this will help me overcome this problem. But I will go ahead with your suggestion on your prevoius answer and will check this out and get back to you.

Thank you Koudry
0
Merlin_RajaAuthor Commented:
Hi Koudry

Ive applied the patch which was recommended regarding the ip issue. It worked successfully.
But when I hyperterminal to the device, it asks me for login and password and once it goes inside, its blank and i dont get to see anything.  (its just one problem after the other>>>)
is there a way to resolve this issue??

Thanks
0
koudryCommented:
Hi Merlin_Raja:
It looks like you have lost your config on the device. If you have a backup config, you can load it into the device using the copy command. If you haven't got a backup config, I don't know if you can recover anything from the file system (either flash or disk) since these devices don't do auto-backup.
0
Merlin_RajaAuthor Commented:
i do have my backup config file.
i think the problem occurred wen i installed the previous patch and it failed. ive been facing this issue since then. My web access works. Is it possible for me to apply another patch and regain connectivity?
0
koudryCommented:
Hi Merlin_Raja:
Yes of course you can apply another patch as you need it. So after you have made sure you have all the patches you need, then you apply the config from the backup and make sure you save the config, i.e. from running config to startup config so that when you restart / reload the device, your config can take effect.
Once your config and patch(es) are in place,  you can reload the device and see what happens. If all is well, you should have your device back with the patches and config.
You need to check that you have all the configs.  Then you can check for the static IP problem that the patch was meant to resolve, to see if the problem is still there before you do anything else.
Thanks,
Koudry
0
Merlin_RajaAuthor Commented:
I can access hyperterminal now but not web access and thisis the msg on the terminal

Cisco Secure ACS: 4.1.1.23
ACS 4.1.1.24 CSCsm73656-Set-Ip: (Patch: 4.1.1.24 Tue 04/03/2008 21:03:08.16)
ACS 4.1.4.13.6 Fix: (Patch: 4.1.4.13.6 Mon 02/18/2008 15:47:35.76)
Appliance Management Software: 4.1.1.23
Appliance Base Image: 4.1.1.4
CSA build 4.0.1.543.2: (Patch: 4_0_1_543)

Appliance upgrade in progress...


Its been more than an hour since the status is like this and i cant do anything.

Is there any worjaround or can i restore the acs box from scratch??

Thanks
0
koudryCommented:
Hi Merlin_Raja:
There surely is a problem.  If you have physical access to the device, you may want to try to power down and up and see if the problem is cleared. It is quite possible that the patches are causing some problem. If you manage to get the box back, try removing the patches to get the box back on a stable mode first.
Good luck
Koudry
0
Merlin_RajaAuthor Commented:
Hi Koudry

hey u know,, i guess it was that patch that failed has done something. The device is near me right now as it is still not on production. I cannot use restore or rollback command on the acs device.

For every command other than the "show" command , i get the following message

Appliance Upgrade is in progress, please try later

I did shutdown and reboot the deive but i still get the meesage that the applicance is still in process of upgradation. I do have the config file which i had taken using the web access.

I do have the restore appliance  CD with me. What to do now????

Thanks
0
koudryCommented:
Hi Merlin_Raja:
Please don't do anything just yet. I will get back to you in a moment.
Thanks,
Koudry
0
koudryCommented:
Hi Merlin_Raja:
I am just checking the following URL:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.1/installation/guide/solution_engine/upgap.html
It highlights the problem you are having with the device hanging. There is also a solution to that:
"If you complete the upgrade and the ACS console displays the message Appliance upgrade in progress, this indicates that the upgrade progress is hanging.

If this condition occurs, start an ACS console session and enter the command download [hostAddress], where hostAddress can be any IP address. This action releases the ACS console from the upgrade process."  
Thanks,
Koudry
0
Merlin_RajaAuthor Commented:
Hi Koudry

Hear this.. My prevoius version was 4.1.1.23 and so i downloaded the patch 4.1.1.23.1 and i applied it. Guess what happened,,, The patch got applied and I can access my web as well as my hyperterminal.

Cisco Secure ACS: 4.1.1.23
ACS 4.1.1.23.1 Fix: (Patch: 4.1.1.23.1 Mon 01/15/2007 20:01:36.20) [This is the patch Ii Applied NOW]
ACS 4.1.1.24 CSCsm73656-Set-Ip: (Patch: 4.1.1.24 Tue 04/03/2008 21:03:08.16)
ACS 4.1.4.13.6 Fix: (Patch: 4.1.4.13.6 Mon 02/18/2008 15:47:35.76)
Appliance Management Software: 4.1.1.23
Appliance Base Image: 4.1.1.4
CSA build 4.0.1.543.2: (Patch: 4_0_1_543)
Session Timeout: 10
Last Reboot Time: Fri Aug 01 10:01:26 2008

I guess for a start i can access my device but i cant start all my services

CSAdmin        running
CSAuth         stopped
CSDbSync       stopped
CSLog          running
CSMon          stopped
CSRadius       stopped
CSTacacs       stopped

I still havent restarted my device to check for issues yet. I will restart and get back to you

Thank you
0
Merlin_RajaAuthor Commented:
Hi Koudry

After restarting, I goy my hyperterminal and web access running. Thank you so much for your guidance. However I still havent got all my services running. I remember seeing a patch for the CSAuth service to be fixed if it is not running but I cant remember where. Can you help me out?

Thank you
0
Merlin_RajaAuthor Commented:
Hi Koudry

I got these services running

CSAdmin        running
CSAuth         running
CSDbSync       stopped
CSLog          running
CSMon          stopped
CSRadius       running
CSTacacs       running

Still waiting for 2 more. The way I accomploshied to get the others starting was I applied 4.1.23.3 patch.

Thanks
0
Merlin_RajaAuthor Commented:
All of Koudry's answers were exactly what I needed at that moment of time.
Thank you Koudry for your timely help :)))))))

*** I did want to give you 500 points for all your questions but I guess I cant allot more than a total of 500 points. :((

Thank you again
0
koudryCommented:
Hi Merlin_Raja:

You may want to take a look at the following document:
Release Notes Update for Cisco Secure ACS 4.1.4.13 @ http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1.4/release/notes/Release_Notes_for_Cisco_Secure_ACS_4.1.4_v2.html
I am not sure if  CSDbSync  and  CSMon  services are related but is there a way you can try manually restarting these services using the command "restart  CSDbSync" and "restart  CSMon"
Good luck.
Koudry          
0
Merlin_RajaAuthor Commented:
Thank you
Ill have a look at them now and get back to you
0
marek1712Commented:
I had  two cases in which the Client (v4.8) generated reason 413 (with correct username and passphrase):
- earlier this year it was a computer which did not meet firewall policy (the firewall software has been damaged and had to be reinstalled).
- yesterday it was token issue. The RSA token has desynchronized with RSA SecurID server and had to be resynchronized with the assistance of the VPN helpdesk. I wouldn't have figured it out without help as Cisco VPN Client haven't shown any warnings or errors (all options in the log settings were set to high priority).

BTW: our manual says, that there are few reasons for error 413 to appear:
- locked AD or token account
- dropped connection (which has to timeout before making another one)
- firewall and antivirus policy mismatch
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.