Solved

Cisco ASA cannot authenticate VPN clients using Kerberos

Posted on 2009-06-29
1
1,877 Views
Last Modified: 2013-12-04
The ASA was original pointing to a Windows 2000 server for VPN authentication. The Winows 2000 server was retired and we are now running a Windows 2003 domain. The authentication server address was changed to point a different domain controller. No other changes were made. Now the logon box re-appears after users try to connect using the Cisco VPN client.
A sample from the ASA log is below
5|Jun 29 2009|09:39:44|713904|||IP = 141.158.***.***, Received encrypted packet with no matching SA, dropping
4|Jun 29 2009|09:39:44|713903|||Group = *********, Username = *******, IP = 141.158.***.***, Error: Unable to remove PeerTblEntry
3|Jun 29 2009|09:39:44|713902|||Group = *********, Username = *********, IP = 141.158.***.***7, Removing peer from peer table failed, no match!
3|Jun 29 2009|09:39:44|713048|||Group = *********, Username = *********, IP = 141.158.***.***, Error processing payload: Payload ID: 14

Open in new window

0
Comment
Question by:John_R_E
1 Comment
 

Accepted Solution

by:
John_R_E earned 0 total points
ID: 24841785
Solution found. While authenticating to the Windows 2000 domain controller the Kerberos realm of NIXON was fine. When domain was upgraded to a Windows 2003 domain the full qualified domain name of NIXON.COM was required for the KERBEROS Realm
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VOIP Setup through a Watchguard BOVPN 4 84
RDP Sonicwall 8 85
Setting up new vpn 15 66
Internet Connection -- PING testing ? 1 31
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question