Wednesday, November 23, 2011

VPN Client Drops Connection Frequently on First Attempt or "Security VPN Connection terminated by tier. Reason 433." or "Secure VPN Connection termina

Problem

Cisco VPN client users might receive this error when they attempt the connection with the head end VPN device.

"VPN client drops connection frequently on first attempt" or "Security VPN Connection terminated by tier. Reason 433." or "Secure VPN Connection terminated by Peer Reason 433:(Reason Not Specified by Peer)" or "Attempted to assign network or broadcast IP address, removing (x.x.x.x) from pool"

Solution 1

The problem might be with the IP pool assignment either through ASA/PIX, Radius server, DHCP server or through Radius server acting as DHCP server. Use the debug crypto command in order to verify that the netmask and IP addresses are correct. Also, verify that the pool does not include the network address and the broadcast address. Radius servers must be able to assign the proper IP addresses to the clients.

Solution 2

This issue also occurs due to the failure of extended authentication. You must check the AAA server to troubleshoot this error. Checking the server authentication password on Server and client and reloading the AAA server might resolve this issue.

Solution 3

Another workaround for this issue is to disable the threat detection feature. At times when there are multiple re-transmissions for different incomplete Security Associations (SAs), the ASA with the threat-detection feature enabled thinks that a scanning attack is occuring and the VPN ports are marked as the main offender. Try to disable the threat-detection feature as this can cause a lot of overhead on the processing of ASA. Use these commands in order to disable the threat detection:

no threat-detection basic-threat
no threat-detection scanning-threat shun
no threat-detection statistics
no threat-detection rate



For me, I've fixed with Solution3