Cisco VPN Client fails with Reason 433 after upgrading Domain Functional Level to 2008 R2.


I'm looking for help with a Cisco VPN (remote access) issue.  

Environment:  We had a Cisco ASA 5505, ASA ver 8.2(2), Device Manager version 5.2(3), along with a Server 2008 R2 domain controller which is also acting as our Radius server.  Things were working fine for our outside sales team to VPN using the Cisco VPN Client (ver until this past week.

In this week, we've had two significant changes to our environment.  First, we upgraded our domain functional level from 2003 to 2008 R2.  This went off without a hitch, BUT I didn't check the remote access VPN afterwards, so I cannot say for certain that it was working after the upgrade.

 A few days later, our ASA died and had to be replaced.  The ASA was RMA'd, and the new 5505 configured.  I upgraded the code slightly--the ASA ver is now 8.2(4), and the Device Manager version is 7.4(3).  All internal functions worked after reconfiguring, but it was at this time that we noticed that the remote access VPN clients would no longer connect.

My first step in troubleshooting (I'm not strong with Cisco products--I can maintain them, but we typically consult out for configurations) was to go over the running configurations line by line from before and after the ASA replacement.  I can confirm that they are the same.

Next, I opened the log on the Cisco VPN Client while trying to connect.  It doesn't log any messages at all.  The actual client fails every time with the following message:

Secure VPN Connection terminated by Peer.
Reason 433: (Reason Not Specified by Peer).

I called Cisco TAC at this point, but they were unable to pinpoint the problem.  They did tell me that the Cisco VPN Client is no longer supported, and I would need to switch to AnyConnect if I wanted further assistance.  I am going to try to troubleshoot this further first, as I have a sales force that is scattered across North America, and if I need to send them a new client and configuration file, it will be more problems than I'd like to deal with right now.

My next troubleshooting step was to go to the Network Policy and Access Services Role on my domain controller and look for errors.  Here I see informational messages that state the following:

Event ID 6273 -  Network Policy Server denied access to a user.
Reason Code: 16 - Authentication failed due to a user credentials mismatch.  Either the user name provided does not map to an existing user account or the password was incorrect.

This message is logged multiple times for each one time I try to connect from the VPN client.  The result is, on my second attempt, my AD account gets locked out, and the information message changes to a Reason Code 36, stating my account is locked.

I am 100% confident that I am using the correct username and password.  Research into the Event ID 6273 informational messages makes me wonder if the issue doesn't stem from the AD upgrade.  Unfortunately, I don't have enough experience with the VPN client to know for certain.

Does anyone have any experience with this type of situation that might help me troubleshoot?


Scott MilnerApplication AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott MilnerApplication AdministratorAuthor Commented:
I have figured it out.  The RADIUS key didn't come through properly when I reconfigured the new ASA.  I reset it on the ASA and the RADIUS server, and all is working.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.