Cisco ASA with RSA SIDs

C

Cyberrad

Limp Gawd
Joined
Sep 12, 2008
Messages
327
Hopefully you [H]er's have some input on an issue we are experiencing. I don't control the configuration that we are having issues with so I'll give you all the details that I have.

We have 2 Cisco ASA 5500 with RSA as the authentication method. These ASAs are load balanced (not sure how). We seem to have an issue where some people successfully connect to the network but can't get to any of the resources. This is intermittent. The same people will then connect and get to the network with no issues. The client machines are Vista Business using the Cisco VPN client and RSA SID 800 tokens. Any insight on this issue or even the process for this configuration would be helpful.;)
 
Do you have sniffers on your end that are capturing packets?
 
I setup wireshark on a client that was failing. The only thing I saw was traffic from the client looking for our servers behind the firewall. It seemed like nothing was getting through. My thought was a route issue but if that was the case then no one would be able to get in.
 
You would probably be better off debugging IKE/IPSec from the firewalls. Do you have a TAC agreement on them? If not, I would suggest getting it. Once you have that, give Cisco a call and open a TAC case and they will help you troubleshoot the issue.
 
Cisco is supposedly involved. I say supposedly because it seems like we have contractors for Cisco trying to help us out and not necessarily Cisco. I do not believe that they have tried to trace the packets yet on their end. I will see if they can try that when we have a client that presents this issue to us.
 
MorfiusX said:
You would probably be better off debugging IKE/IPSec from the firewalls. Do you have a TAC agreement on them? If not, I would suggest getting it. Once you have that, give Cisco a call and open a TAC case and they will help you troubleshoot the issue.
Click to expand...

Thinking about this a little more. Why would they need to debug IKE/IPSec? We see them authenticating to RSA with no errors. It is the step after the authentication that we seem to be having an issue with (connecting to the server). Are you thinking that there might be something wrong with the tunnels that are being established? Sorry, I am not too savy on how the Cisco ASAs work. I am just trying to gather ideas of what this issue might be to help our networking team along. We recently missed a deadline because of this issue and I just want it fixed.
 
Cyberrad said:
Thinking about this a little more. Why would they need to debug IKE/IPSec? We see them authenticating to RSA with no errors. It is the step after the authentication that we seem to be having an issue with (connecting to the server). Are you thinking that there might be something wrong with the tunnels that are being established? Sorry, I am not too savy on how the Cisco ASAs work. I am just trying to gather ideas of what this issue might be to help our networking team along. We recently missed a deadline because of this issue and I just want it fixed.
Click to expand...
honestly, your problem could be so many different things you either need someone with the expertise to come in and look at it or open a TAC case. If you want to post your config here and give people access to your ASA's then thats also an option but your posts just dont have enough information to give you any kind of real answers.

but to add something that might help,

make sure that you're seeing similar encrypts and decrypts with your ipsec SA's, this would also imply that your ISAKMP SA's is staying valid and QM_IDLE the entire time that the remote access client is connected.

Check the client configuration and make sure that the client is getting the proper protected networks.

Check the routing table on the clients, make sure its what you expect.

This relates to the past 2 suggestions, ensure that you're running the correct scenario, split tunneling vs. full tunneling.

Ensure that you're actually seeing RAD/TAC+, i would debug which ever one that you're using.

Also, you would want to debug your crypto to ensure that your SA's are completing properly and that nothing funny is going on(rekeying constantly, hashing failing, etc)
 
You must log in or register to reply here.
Back
Top