000019111 - 'PASSCODE REUSE ATTACK DETECTED' or 'SIMULTANEOUS AUTH detected'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019111
Applies ToCisco VPN 3000 Concentrator
RSA Radius Server
RSA Authentication Manger 6.1
IssueError: "PASSCODE REUSE ATTACK DETECTED" in ACE/Server logs
"Access denied" on Client
Error: "SIMULTANEOUS AUTH detected" in RSA ACE/Server logs
CauseRetransmitted packets from the Cisco appear to be new authentication requests
ResolutionTo correct this issue, upgrade the VPN 3000 Concentrator to at least 3.5.3 and configure an 8-10 second retransmission time-out (not the default 4 second)

Cisco has changed the formatting of the retransmitted authentication requests so the ACE/Server will correctly interpret the retransmitted packets and not deny access to the user. The retransmitted request will be identical to the original, enabling the ACE/Server to detect the request is a retransmission and enabling it to retransmit the original response.

As a workaround, reconfigure the VPN Concentrator to wait longer for a response from ACE/Server and not retransmit the request. Retransmitted requests will fail if the ACE/Server receives a second request when the Concentrator is at 3.5.2 or earlier.  Cisco Menu on a 3000 has timeout =, change it from default 4 seconds to 8 seconds to give ACE server enough time to get first response back to Cisco
If the Agent host Timeout is not the problem, apply Hot Fix Roll-up 5 to Auth Manager 6.1.2, it fixes a problem where ACE database holds first auth request for up to 30 seconds, forcing Agent host to retransmit, and causing both PASSCODE REUSE ATTACK DETECTED and SIMULTANEOUS AUTH detected
Legacy Article IDa12192

Attachments

    Outcomes