I'm looking for help with a Cisco VPN (remote access) issue.
Environment: We had a Cisco ASA 5505, ASA ver 8.2(2), Device Manager version 5.2(3), along with a Server 2008 R2 domain controller which is also acting as our Radius server. Things were working fine for our outside sales team to VPN using the Cisco VPN Client (ver 5.0.07.0440) until this past week.
In this week, we've had two significant changes to our environment. First, we upgraded our domain functional level from 2003 to 2008 R2. This went off without a hitch, BUT I didn't check the remote access VPN afterwards, so I cannot say for certain that it was working after the upgrade.
A few days later, our ASA died and had to be replaced. The ASA was RMA'd, and the new 5505 configured. I upgraded the code slightly--the ASA ver is now 8.2(4), and the Device Manager version is 7.4(3). All internal functions worked after reconfiguring, but it was at this time that we noticed that the remote access VPN clients would no longer connect.
My first step in troubleshooting (I'm not strong with Cisco products--I can maintain them, but we typically consult out for configurations) was to go over the running configurations line by line from before and after the ASA replacement. I can confirm that they are the same.
Next, I opened the log on the Cisco VPN Client while trying to connect. It doesn't log any messages at all. The actual client fails every time with the following message:
Secure VPN Connection terminated by Peer.
Reason 433: (Reason Not Specified by Peer).
I called Cisco TAC at this point, but they were unable to pinpoint the problem. They did tell me that the Cisco VPN Client is no longer supported, and I would need to switch to AnyConnect if I wanted further assistance. I am going to try to troubleshoot this further first, as I have a sales force that is scattered across North America, and if I need to send them a new client and configuration file, it will be more problems than I'd like to deal with right now.
My next troubleshooting step was to go to the Network Policy and Access Services Role on my domain controller and look for errors. Here I see informational messages that state the following:
Event ID 6273 - Network Policy Server denied access to a user.
Reason Code: 16 - Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
This message is logged multiple times for each one time I try to connect from the VPN client. The result is, on my second attempt, my AD account gets locked out, and the information message changes to a Reason Code 36, stating my account is locked.
I am 100% confident that I am using the correct username and password. Research into the Event ID 6273 informational messages makes me wonder if the issue doesn't stem from the AD upgrade. Unfortunately, I don't have enough experience with the VPN client to know for certain.
Does anyone have any experience with this type of situation that might help me troubleshoot?