I've been debugging all night and spent the past week banging usenet for related posts to no avail, I'm at the end of my rope.
I cannot seem to VPN into my PIX and route packets into my network with after changing the password of my Active Directory accounts...and likewise, new users cannot route packets either.
Here's my basic setup and more information:
I have a Cisco PIX (506 and 515r, 6.3(4) flashed) in two locations with a VPN tunnel between.
Both offices are in the same Active Directory forest and domain.
The PIXes are setup to authenticate with a Windows 2000 Advnaced Server using Radius via IAS to allow remote PPTP VPN access.
Here's where it gets weird: I changed the password for my Active Directory account the other day. Later that day, I went home and logged into successfully to the VPN using the new password ... but couldn't manage to reach anything inside the network at all even though the supplied routing tables were correct.
Confused, I logged out of the VPN, logged into OWA and remotely changed my AD password back to what it was previously. I logged back into the VPN and I am now able to reach everything inside the network again. So I'm able to authenticate with the current password, but I am only allowed to route packets if I'm using my original password.
I did a 'route print' in both cases - and both of the routes with new password and old password are identical. Based on the routes, routing and access should work perfectly. Sounds like something is caching something somewhere, right?
Confused, I setup a new user and allowed access to the VPN. I logged into the VPN successfully with the new user but I am unable to get around inside the network. If I log in with an old user, it works, but not with new ones. The routing table looks perfect. I notice this behavior in both offices. This shoots my caching theory out the window. So, everyone can login to the VPN but only old accounts using old passwords can route packets? WTF?
Confused and looking for more information, I checked the Event Viewer on my domain controller. With all logins listed above, I show that IAS has successfully authenticated the users and assigned IP addresses. Confused, I reboot the domain controller to see if there was some caching going on. I also checked IAS and Routing and Remote Access on the domain controller and see nothing related to routes existing. I also checked the IAS logfiles and see no anomalies between any of the logins.
Next, I reset my AD password to its original state, reloaded the Cisco PIX to ensure some caching wasn't occuring on it, and again rebooted my domain controller. I hop on to two computers in my house -
password. I then hop onto the PIX and set 'logging console debugging'. I test logging in with both passwords on my old account - all is successful and looks ok between both logins. For S&G, I tried to telnet to an IP inside the network logged in both ways. Strangely, I only see a console log entry for the VPN connection using the original password. Nothing shows up in the console debug when I telnet internally after logging off the vPN then back in again using the newly changed password.
One last item: I logged into the VPN using my original password. I then logon to the domain controller, change my network/AD password to a new password. I log off of the domain controller but leave the VPN connection established. I can manage to hit anywhere inside the network still....until I disconnect and reconnect to the VPN. So I know this is somehow related to my VPN session on the PIX. My only other option to resolve this is packet sniffing on the domain controller, but I'm hoping someone has seen an anomaly like this before...
There has to be something caching passwords or otherwise dropping packets here, but I can't figure out who/what where.
I walked away from this for a week and nothing updated internally, even across multiple power cycles of all equipment. I am stumped.....
Anyone have any ideas?
PS - I'm not using Cisco VPN client at all and have not been in the three years I've been configured this way.