VPN 3000 Concentrator

Posted on 2010-01-05
Last Modified: 2012-05-08
I have run into an issue with our VPN concentrator.  Users connect to our VPN concentrator using Cisco VPN client.  The concentrator authenticates via Windows Server 2008 AD.  Currently, when I test the authentication server, I receive the following: Authentication Error: No response from server.  On the DC, I see the following in the security log:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/5/2010 3:48:50 PM
Event ID:      4768
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DC01.domain.local
A Kerberos authentication ticket (TGT) was requested.

Account Information:
      Account Name:            username
      Supplied Realm Name:      domain
      User ID:                  domain\username

Service Information:
      Service Name:            krbtgt
      Service ID:            domain\krbtgt

Network Information:
      Client Address:  
      Client Port:            1146

Additional Information:
      Ticket Options:            0x40800010
      Result Code:            0x0
      Ticket Encryption Type:      0x3
      Pre-Authentication Type:      0

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:      
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
Question by:andrewg96
    LVL 31

    Expert Comment

    If you are getting a success audit on your DC, I would look at your concentrator.  A few questions:  Has this ever worked?  If so, was anything changed before it stopped working?  What method is your concentrator using for AD authentication?


    Author Comment

    This is a new domain, so it has not worked on this exact domain.  The concentrator is using Kerberos for AD.
    LVL 31

    Expert Comment

    Do you see anything odd in the syslog on the concentrator?

    Author Comment

    Here is the log from the concentrator

    59733 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/1 RPT=9866
    AUTH_Open() returns 769

    59734 01/05/2010 16:50:31.040 SEV=7 AUTH/12 RPT=9866
    Authentication session opened: handle = 769

    59735 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/3 RPT=14160
    AUTH_PutAttrTable(769, b062bc)

    59736 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/5 RPT=2658
    AUTH_Authenticate(769, 1c4b6bc, 515184)

    59737 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/59 RPT=14176
    AUTH_BindServer(1ecd3bc, 0, 0)

    59738 01/05/2010 16:50:31.040 SEV=9 AUTHDBG/69 RPT=14155
    Auth Server e81be0 has been bound to ACB 1ecd3bc, sessions = 1

    59739 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/65 RPT=14155
    AUTH_CreateTimer(1ecd3bc, 0, 0)

    59740 01/05/2010 16:50:31.040 SEV=9 AUTHDBG/72 RPT=14155
    Reply timer created: handle = 36640029

    59741 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/179 RPT=14155
    AUTH_SyncToServer(1ecd3bc, 0, 0)

    59742 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/180 RPT=14155
    AUTH_SendLockReq(1ecd3bc, 0, 0)

    59743 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/61 RPT=14441
    AUTH_BuildMsg(1ecd3bc, 0, 0)

    59744 01/05/2010 16:50:31.040 SEV=8 AUTHDBG/188 RPT=2939

    59745 01/05/2010 16:50:31.050 SEV=8 AUTHDBG/64 RPT=14474
    AUTH_StartTimer(1ecd3bc, 0, 0)

    59746 01/05/2010 16:50:31.050 SEV=9 AUTHDBG/73 RPT=14474
    Reply timer started: handle = 36640029, timestamp = -262799840, timeout = 4000

    59747 01/05/2010 16:50:31.050 SEV=8 AUTHDBG/62 RPT=14474
    AUTH_SndRequest(1ecd3bc, 0, 0)

    59748 01/05/2010 16:50:31.050 SEV=8 AUTHDBG/192 RPT=5877
    Kerberos_Decode(1c69938, 0)

    59749 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/31 RPT=8172
    Kerberos: Message type KRB_AS_REQ

    59750 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/42 RPT=8914
    Kerberos: Option forwardable

    59751 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/42 RPT=8915
    Kerberos: Option renewable

    59752 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/42 RPT=8916
    Kerberos: Option renewable accepted

    59753 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/33 RPT=5421
    Kerberos: Client Realm DOMAINNAME

    59754 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/32 RPT=5421
    Kerberos: Client Name username

    59755 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/35 RPT=5267
    Kerberos: Server Realm DOMAINNAME

    59756 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/34 RPT=10533
    Kerberos: Server Name krbtgt

    59757 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/34 RPT=10534
    Kerberos: Server Name DOMAINNAME

    59758 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/36 RPT=2972
    Kerberos: Start time 0

    59759 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/37 RPT=2972
    Kerberos: End time 0

    59760 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/38 RPT=2972
    Kerberos: Renew until time 0

    59761 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/39 RPT=5267
    Kerberos: Nonce 1262731831

    59762 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/40 RPT=20798
    Kerberos: Encryption type des-cbc-md5

    59763 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/40 RPT=20799
    Kerberos: Encryption type des-cbc-crc

    59764 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/40 RPT=20800
    Kerberos: Encryption type des-cbc-md4

    59765 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/40 RPT=20801
    Kerberos: Encryption type des3-cbc-sha1

    59766 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/40 RPT=20802
    Kerberos: Encryption type des-hmac-sha1

    59767 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/40 RPT=20803
    Kerberos: Encryption type rc4-hmac

    59768 01/05/2010 16:50:31.050 SEV=10 AUTHDECODE/40 RPT=20804
    Kerberos: Encryption type null

    59769 01/05/2010 16:50:31.050 SEV=8 AUTHDBG/189 RPT=5943

    59770 01/05/2010 16:50:31.050 SEV=8 AUTHDBG/189 RPT=5944

    59771 01/05/2010 16:50:31.050 SEV=9 AUTHDBG/71 RPT=14474
    xmit_cnt = 1

    59772 01/05/2010 16:50:31.150 SEV=8 AUTHDBG/191 RPT=2959
    Kerberos_Match(1ecd3bc, 1f00fdc), id = 0x00, rcvd = 0x82

    59773 01/05/2010 16:50:31.150 SEV=7 AUTHDBG/76 RPT=51
    Unable to correlate received message with authentication session
    LVL 31

    Accepted Solution


     When using Kerberos/Active Directory authentication, if a user types a username with the "@" symbol and Realm using all lowercase for the realm (that is, instead of username@MYCOMPANY.COM), the following error occurs on the VPN Concentrator, and the Kerberos server status changes to "Not-in-service".  
     78 02/19/2003 16:59:49.250 SEV=7 AUTHDBG/76 RPT=8
    Unable to correlate received message with authentication session  
     83 02/19/2003 16:59:53.150 SEV=4 AUTH/15 RPT=76
    Server name =, type = KERBEROS,
    group = KerberosGroup, status = Not-in-service  
    When using Kerberos/Active directory for authenticating, users should enter only their username, username@REALM.COM with Realm all in UPPERCASE letters, or use the Strip Realm setting for the Group on the Concentrator.


    Author Closing Comment

    You are a Genius!!  My life is sooo much better now.  Thank you for your prompt response.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now