Cisco Pix 8.0(4)28 won't accept vpn requests

Whenever I try to VPN (using Cisco's VPN client) into my company, my authentication fails (I'm using RADIUS on my NPS server).  The messages appearing in the PIX log are shown below along with the statements used to configure my VPN access.  I can't figure out what is wrong; nothing else is recorded in PIX log to reveal anything.  Does anyone have a clue what I'm missing?  I have two of these PIX devices (model-525) (for different sites) and one works fine.  I compared the configurations and they're nearly identical for this function..  Thanks.

Aug 21 2014 16:10:28: %PIX-2-113022: AAA Marking RADIUS server 172.16.3.17 in aaa-server group RADIUS as FAILED
Aug 21 2014 16:10:59: %PIX-2-113022: AAA Marking RADIUS server 172.16.2.8 in aaa-server group RADIUS as FAILED
Aug 21 2014 16:10:59: %PIX-2-113023: AAA Marking RADIUS server 172.16.3.17 in aaa-server group RADIUS as ACTIVE
Aug 21 2014 16:10:59: %PIX-2-113023: AAA Marking RADIUS server 172.16.2.8 in aaa-server group RADIUS as ACTIVE
Aug 21 2014 16:10:59: %PIX-3-713167: Group = VPNUSERS, Username = vledj, IP = 69.249.5.121, Remote peer has failed user authentication -  check configured username and password
Aug 21 2014 16:10:59: %PIX-3-713902: Group = VPNUSERS, Username = vledj, IP = 69.249.5.121, Removing peer from peer table failed, no match!
Aug 21 2014 16:10:59: %PIX-4-713903: Group = VPNUSERS, Username = vledj, IP = 69.249.5.121, Error: Unable to remove PeerTblEntry

Configuration Statements:

access-list VPNUSERS-tunnel standard permit 172.16.0.0 255.255.0.0
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 172.16.3.17
 key ********
aaa-server RADIUS (inside) host 172.16.2.8
 key ********

group-policy VPNUSERS internal
group-policy VPNUSERS attributes
 dns-server value 172.16.2.8 172.16.3.17
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNUSERS-tunnel
 default-domain value xyz.org
 split-dns value xyz.org

ip local pool VPNPool 172.16.7.200-172.16.7.250

tunnel-group VPNUSERS type remote-access
tunnel-group VPNUSERS general-attributes
 address-pool VPNPool
 authentication-server-group RADIUS
 authentication-server-group (outside) RADIUS
 default-group-policy VPNUSERS
tunnel-group VPNUSERS ipsec-attributes
 pre-shared-key *
 radius-sdi-xauth
!
ejefferson213Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rauenpcCommented:
Your logs make me think that the PIX doesn't have a route to the radius server, or is not using the same shared secret, or the radius server does no have the pix as a radius client (or has the wrong interface IP configured as the client). Those are possible reasons you see radius going dead/alive over and over. Make sure that when you enter the radius shared secret that you don't end the command with a space because the space will then be part of the shared secret.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ejefferson213Author Commented:
Thank you.  I can ping the radius server from the pix and viceversa.  But I think you're onto something. On the RADIUS server, I had the wrong client address for the PIX.  Changed it and will see if that fixes the issue and let you know.  Thanks again.
0
ejefferson213Author Commented:
You were correct.  I had the wrong address configured in the RADIUS client for the PIX appliance.  Once it was fixed, VPN worked flawlessly.

Thank you!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.