Solved

Cisco ASA cannot authenticate VPN clients using Kerberos

Posted on 2009-06-29
1
1,861 Views
Last Modified: 2013-12-04
The ASA was original pointing to a Windows 2000 server for VPN authentication. The Winows 2000 server was retired and we are now running a Windows 2003 domain. The authentication server address was changed to point a different domain controller. No other changes were made. Now the logon box re-appears after users try to connect using the Cisco VPN client.
A sample from the ASA log is below
5|Jun 29 2009|09:39:44|713904|||IP = 141.158.***.***, Received encrypted packet with no matching SA, dropping

4|Jun 29 2009|09:39:44|713903|||Group = *********, Username = *******, IP = 141.158.***.***, Error: Unable to remove PeerTblEntry

3|Jun 29 2009|09:39:44|713902|||Group = *********, Username = *********, IP = 141.158.***.***7, Removing peer from peer table failed, no match!

3|Jun 29 2009|09:39:44|713048|||Group = *********, Username = *********, IP = 141.158.***.***, Error processing payload: Payload ID: 14

Open in new window

0
Comment
Question by:John_R_E
1 Comment
 

Accepted Solution

by:
John_R_E earned 0 total points
ID: 24841785
Solution found. While authenticating to the Windows 2000 domain controller the Kerberos realm of NIXON was fine. When domain was upgraded to a Windows 2003 domain the full qualified domain name of NIXON.COM was required for the KERBEROS Realm
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now