Remote Peer not responding on Cisco VPN client after changing the authentication server address

Hello Experts,

The domain controller (Windows 2003 AD DC) that manages authentication for our VPN server crashed so I had to point the Cisco ASA 5500 to our other domain controller (Windows 2008 AD DC).  

I've updated the ASA with the new server name and IP address but the VPN client still does not connect.  Below is my configuration, can you please tell me what I may be missing?  Thanks!

Server Group:    LOCAL
Server Protocol: Local database
Server Address:  None
Server port:     None
Server status:   ACTIVE, Last transaction at unknown
Number of pending requests              0
Average round trip time                 0ms
Number of authentication requests       0
Number of authorization requests        0
Number of accounting requests           0
Number of retransmissions               0
Number of accepts                       0
Number of rejects                       0
Number of challenges                    0
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      0
Number of unrecognized responses        0

aaa-server Remote protocol nt
aaa-server Remote (inside) host 192.168.1.15
 timeout 5
 nt-auth-domain-controller pdc02

Server Group:    Remote
Server Protocol: nt
Server Address:  192.168.1.15
Server port:     139
Server status:   ACTIVE, Last transaction at unknown
Number of pending requests              0
Average round trip time                 0ms
Number of authentication requests       57
Number of authorization requests        0
Number of accounting requests           0
Number of retransmissions               0
Number of accepts                       0
Number of rejects                       0
Number of challenges                    0
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      57
Number of unrecognized responses        0

group-policy VPN internal
group-policy VPN attributes
 wins-server value 192.168.1.15
 dns-server value 192.168.1.15
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
group-policy support internal
group-policy support attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value support_splitTunnelAcl
cyardleyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
Suggest you look at the allowed protocols on the domain controller.  Seems likely that it's forcing NTLMv2 or higher, and the NT authentication is failing.

Go to Administrative Tools -> Local Security Policy-> Local Policies -> Security Options -> Network security: LAN Manager authentication level

https://technet.microsoft.com/en-us/library/cc738867%28v=ws.10%29.aspx

I suspect you'll see that it's set to Send NTLMv2 response only\refuse LM or Send NTLMv2 response only\refuse LM & NTLM.

Options are to change the setting to Send NTLMv2 response only (domain controllers accept LM, NTLM, and NTLMv2 authentication) or to change the authentication type on the ASA to Kerberos.  

Personally, I suggest Kerberos.
cyardleyAuthor Commented:
Thank you for the response!   I apologize, I am relatively new to Cisco router configuration.

My server is currently set to Send NTLMv2 response only.

Would I have to configure anything else on the ASA if I change the authentication type to Kerberos?
asavenerCommented:
Yes.  See http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/68881-aa-svrgrps-asdm.html

Your output indicates a timeout issue.  For some reason, the ASA cannot reach the server.  I thought it was due to the server not responding, but it could also be due to the Windows firewall, a routing issue, or other connectivity issues.

Start by trying to ping the domain controller.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.