господа, помогите разобраться где затык?
поднял SSL VPN(svc) на ASA и столкнулся с проблемой: 2 клиента прицепляются - третий не может, пишет: login failed.на радиусе ограничений по количеству соединений нету.
в debug webvpn svc 255 тишина.
нашел вот такой интересный параметр:
asa01(config)# vpn-sessiondb max-webvpn-session-limit ?
configure mode commands/options:
<1-2> Number of WebVPN sessions
может как-то это связано? хотя я max-webvpn-session-limit вообще не выставлял.
да и webvpn не использую, только svc.
кусок конфига:
пользователи разнесены по группам с привязкой.
: Saved
:
ASA Version 8.0(2)
!
hostname asa01
domain-name ok.com
enable password 0PfjfjdfttOkQaz encrypted
names
dns-guard
!
interface Ethernet0/0
nameif eth0
security-level 0
ip address xx.xx.xx.xx 255.255.255.240
!
interface Ethernet0/1
nameif eth1
security-level 100
ip address 10.40.10.29 255.255.255.240
!
interface Ethernet0/2
nameif eth2
security-level 0
no ip address
!
interface Ethernet0/3
nameif eth3
security-level 0
no ip address
!
[...]
dynamic-access-policy-record DfltAccessPolicy
aaa-server radius protocol radius
max-failed-attempts 5
aaa-server radius (eth1) host 10.40.10.34
timeout 5
key obama2009
authentication-port 1745
accounting-port 1913
aaa authentication ssh console LOCAL
[...]
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map eth3_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map eth0_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map eth3_map 65535 ipsec-isakmp dynamic eth3_dyn_map
crypto map eth3_map interface eth3
crypto map eth0_map 65535 ipsec-isakmp dynamic eth0_dyn_map
crypto map eth0_map interface eth0
crypto ca trustpoint localtrust
enrollment self
fqdn ok.com
subject-name CN=ok.com
keypair sslvpnkeypair
crl configure
crypto ca certificate chain localtrust
certificate 31
308201e0 30820149 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
36311630 14060355 0403130d 70697830 322e6663 322e636f 6d311c30 1a06092a
864886f7 0d010902 160d7069 7830322e 6663322e 636f6d30 1e170d30 39303432
37313830 3932315a 170d3139 30343235 31383039 32315a30 36311630 14060355
0403130d 70697830 322e6663 322e636f 6d311c30 1a06092a 864886f7 0d010902
160d7069 7830322e 6663322e 636f6d30 819f300d 06092a86 4886f70d 01010105
0003818d 00308189 02818100 9dfb033f 4437e7dc d78335b5 3ae6479c 6388b0e5
282ce035 6d9858eb befb8c32 e82c468b 0ae4009d 51641642 32e2dbe6 f55bd3b3
49efd61f 86575bce fb90d475 5f807e63 8b3209a5 e7563ca8 e1fd7db8 d84f7ed2
ba38af41 0481aa9d 8c62c99a eb848e2a c6e7d6ea bdce670d f3f3de40 3eebd072
34a4c4a6 baa436c2 f4409141 02030100 01300d06 092a8648 86f70d01 01040500
03818100 385f0e62 2ec27431 990b22dc 61ea5889 99111ea3 23ca4aaf 685a9d41
311b20c4 3246b4eb d197030e b6a1214d 4ae124b2 f57846e8 dd1c4ac5 141cdde4
58c78377 7f45a774 ca273092 d1add5d9 d9330105 e3135ac0 d226aae7 92e2546c
2600256b 0179c28a 01ac4b74 f22a847a 384687cb 9aec75ea 3eab1484 11696090 42fef179
quit
crypto isakmp identity hostname
crypto isakmp enable eth0
crypto isakmp enable eth3
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp disconnect-notify
vpn-sessiondb max-session-limit 40
telnet timeout 5
ssh 10.40.10.34 255.255.255.255 eth1
ssh timeout 10
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
[...]
ssl trust-point localtrust eth0
webvpn
enable eth0
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy generic internal
group-policy generic attributes
dns-server value 10.40.12.196 10.40.12.196
vpn-simultaneous-logins 5
vpn-idle-timeout none
vpn-tunnel-protocol IPSec svc
group-lock value generic
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value generic_splitTunnelAcl
default-domain value ok.com
user-authentication enable
client-firewall none
client-access-rule none
group-policy admins internal
group-policy admins attributes
dns-server value 10.40.12.196 10.40.12.196
vpn-simultaneous-logins 5
vpn-idle-timeout none
vpn-tunnel-protocol IPSec svc
group-lock value admins
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value admins_splitTunnelAcl
default-domain value ok.com
user-authentication enable
client-firewall none
client-access-rule none
group-policy customers internal
group-policy customers attributes
dns-server value 10.40.12.196 10.40.12.196
vpn-simultaneous-logins 5
vpn-idle-timeout none
vpn-tunnel-protocol IPSec svc
group-lock value customers
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value customers_splitTunnelAcl
default-domain value ok.com
user-authentication enable
client-firewall none
client-access-rule none
username inc password QImcgwgwdgA/T encrypted privilege 15
tunnel-group admins type remote-access
tunnel-group admins general-attributes
address-pool admins
authentication-server-group radius
authorization-server-group radius
accounting-server-group radius
default-group-policy admins
tunnel-group admins webvpn-attributes
group-alias admins enable
tunnel-group admins ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group generic type remote-access
tunnel-group generic general-attributes
address-pool generic
authentication-server-group radius
authorization-server-group radius
accounting-server-group radius
default-group-policy generic
tunnel-group generic webvpn-attributes
group-alias generic enable
tunnel-group generic ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group customers type remote-access
tunnel-group customers general-attributes
address-pool customers
authentication-server-group radius
authorization-server-group radius
accounting-server-group radius
default-group-policy customers
tunnel-group customers webvpn-attributes
group-alias customers enable
tunnel-group customers ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group enable type remote-access
prompt hostname context
Cryptochecksum:337f90052f158f1d85fa6d0e0bf93fcc
: end
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Public)
on 06-Июл-09, 14:39 
