000025168 - Node Verification Failed after CISCO ASA change

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025168
Applies ToRSA ACE/Server 5.x
RSA Authentication Manager 6.x

Cisco ASA 5520 Version 7.2.1
node secret
IssueNode Verification Failed
Users unable to authenticate via VPN
CauseNode secret is stored in flash and has to be deleted.  A reboot of the CISCO ASA device will not clear the node secret.
ResolutionOn Cisco ASA the Node secrets are stored in Flash RAM which is called disk0:.  Older versions use Hex, newer version use the dotted decimal notation, so a Node secret for an RSA Server with IP address of will either be named 8E-ED-EB-8A.SDI (Older versions with HEX used) or it will be named 142-141-235-138.SDI. 
To delete the Node secret on a Cisco ASA, telnet or connect with SSH, find the file and type either
     delete /noconfirm disk0:/142-141-235-138.SDI
     delete disk0:\142-141-235-138.SDI /noconfirm

Clear the node from the agent host entry in the RSA Authentication Manager primary, remove the node secret from the CISCO ASA device using instructions below.


From the command line in ?executive mode?:


1.       Type ?show flash?, this will list all files in flash.  The node secret file will be named XXX-XXX-XXX-XXX.SDI.
Where XXX-XXX-XXX-XXX represents the IP address of the RSA Authentication Manager (ACE/Server).


2.       Type ?delete flash:XXX-XXX-XXX-XXX.SDI?.  After enter has been pressed you will be prompted if you want to delete the file, to continue with the file deletion hit enter.


3.       Run the show flash command again to confirm that the node secret file is deleted.


4.       Restart the CISCO ASA device to clear memory and cache.



NOTE: it has been noticed that with some later version of firmware on the CISCO ASA device where multiple authentication managers are configured, a node secret file is required for each authentication manager configured.
Perform a test authentication to the Authentication Manager primary so a node secret file is created (e.g. 192-168-1-10.SDI - where is the IP address of the primary) now copy this file to use the same IP address of the next configured authentication manager in the CISCO ASA device (e.g. 192-168-10-10.SDI - where is the IP address of the replica). Now perform a test authentication to the Authentication Manager replica to confirm the configuration is working.

Legacy Article IDa34147