[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco Pix 8.0(4)28 won't accept vpn requests

Posted on 2014-08-21
3
Medium Priority
?
411 Views
Last Modified: 2014-08-26
Whenever I try to VPN (using Cisco's VPN client) into my company, my authentication fails (I'm using RADIUS on my NPS server).  The messages appearing in the PIX log are shown below along with the statements used to configure my VPN access.  I can't figure out what is wrong; nothing else is recorded in PIX log to reveal anything.  Does anyone have a clue what I'm missing?  I have two of these PIX devices (model-525) (for different sites) and one works fine.  I compared the configurations and they're nearly identical for this function..  Thanks.

Aug 21 2014 16:10:28: %PIX-2-113022: AAA Marking RADIUS server 172.16.3.17 in aaa-server group RADIUS as FAILED
Aug 21 2014 16:10:59: %PIX-2-113022: AAA Marking RADIUS server 172.16.2.8 in aaa-server group RADIUS as FAILED
Aug 21 2014 16:10:59: %PIX-2-113023: AAA Marking RADIUS server 172.16.3.17 in aaa-server group RADIUS as ACTIVE
Aug 21 2014 16:10:59: %PIX-2-113023: AAA Marking RADIUS server 172.16.2.8 in aaa-server group RADIUS as ACTIVE
Aug 21 2014 16:10:59: %PIX-3-713167: Group = VPNUSERS, Username = vledj, IP = 69.249.5.121, Remote peer has failed user authentication -  check configured username and password
Aug 21 2014 16:10:59: %PIX-3-713902: Group = VPNUSERS, Username = vledj, IP = 69.249.5.121, Removing peer from peer table failed, no match!
Aug 21 2014 16:10:59: %PIX-4-713903: Group = VPNUSERS, Username = vledj, IP = 69.249.5.121, Error: Unable to remove PeerTblEntry

Configuration Statements:

access-list VPNUSERS-tunnel standard permit 172.16.0.0 255.255.0.0
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 172.16.3.17
 key ********
aaa-server RADIUS (inside) host 172.16.2.8
 key ********

group-policy VPNUSERS internal
group-policy VPNUSERS attributes
 dns-server value 172.16.2.8 172.16.3.17
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNUSERS-tunnel
 default-domain value xyz.org
 split-dns value xyz.org

ip local pool VPNPool 172.16.7.200-172.16.7.250

tunnel-group VPNUSERS type remote-access
tunnel-group VPNUSERS general-attributes
 address-pool VPNPool
 authentication-server-group RADIUS
 authentication-server-group (outside) RADIUS
 default-group-policy VPNUSERS
tunnel-group VPNUSERS ipsec-attributes
 pre-shared-key *
 radius-sdi-xauth
!
0
Comment
Question by:ejefferson213
  • 2
3 Comments
 
LVL 20

Accepted Solution

by:
rauenpc earned 2000 total points
ID: 40283187
Your logs make me think that the PIX doesn't have a route to the radius server, or is not using the same shared secret, or the radius server does no have the pix as a radius client (or has the wrong interface IP configured as the client). Those are possible reasons you see radius going dead/alive over and over. Make sure that when you enter the radius shared secret that you don't end the command with a space because the space will then be part of the shared secret.
0
 

Author Comment

by:ejefferson213
ID: 40283986
Thank you.  I can ping the radius server from the pix and viceversa.  But I think you're onto something. On the RADIUS server, I had the wrong client address for the PIX.  Changed it and will see if that fixes the issue and let you know.  Thanks again.
0
 

Author Closing Comment

by:ejefferson213
ID: 40285690
You were correct.  I had the wrong address configured in the RADIUS client for the PIX appliance.  Once it was fixed, VPN worked flawlessly.

Thank you!!
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question