|Applies To||RSA ACE/Server 5.x|
RSA Authentication Manager 6.x
Cisco ASA 5520 Version 7.2.1
|Issue||Node Verification Failed|
Users unable to authenticate via VPN
|Cause||Node secret is stored in flash and has to be deleted. A reboot of the CISCO ASA device will not clear the node secret.|
|Resolution||On Cisco ASA the Node secrets are stored in Flash RAM which is called disk0:. Older versions use Hex, newer version use the dotted decimal notation, so a Node secret for an RSA Server with IP address of 126.96.36.199 will either be named 8E-ED-EB-8A.SDI (Older versions with HEX used) or it will be named 142-141-235-138.SDI. |
To delete the Node secret on a Cisco ASA, telnet or connect with SSH, find the file and type either
delete /noconfirm disk0:/142-141-235-138.SDI
delete disk0:\142-141-235-138.SDI /noconfirm
Clear the node from the agent host entry in the RSA Authentication Manager primary, remove the node secret from the CISCO ASA device using instructions below.
From the command line in ?executive mode?:
1. Type ?show flash?, this will list all files in flash. The node secret file will be named XXX-XXX-XXX-XXX.SDI.
2. Type ?delete flash:XXX-XXX-XXX-XXX.SDI?. After enter has been pressed you will be prompted if you want to delete the file, to continue with the file deletion hit enter.
3. Run the show flash command again to confirm that the node secret file is deleted.
4. Restart the CISCO ASA device to clear memory and cache.
NOTE: it has been noticed that with some later version of firmware on the CISCO ASA device where multiple authentication managers are configured, a node secret file is required for each authentication manager configured.
|Legacy Article ID||a34147|