000025567 - First authentication successful  node secret sent to client  but cannot authenticate again to Cisco VPN

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025567
Applies ToRSA ACE/Server
RSA Authentication Manager
Cisco VPN 3000 Concentrator
IssueFirst authentication successful, node secret sent to client, but cannot authenticate again to Cisco VPN
Node secret sent to client
"PASSCODE accepted" then Error: "ACCESS DENIED, PASSCODE Incorrect", then "ACCESS DENIED, AUTH LOCK ERROR" appears in ACE/Server log monitor or application log
CauseThe Concentrator sent a second request for authentication prior to the ACE/Server releasing the first authentication successful message to the concentrator
ResolutionTry changing the Cisco timeout, default is 4 increase it to a value anywhere from 7 to 25, this will allow the user authentication to wait up to 7-25 seconds for the ACE/Server to reply to the authentication prior to the concentrator attempting a second authentication request that will lock out your user.


1. Open the Web Administration Console on the Cisco Concentrator

2. Navigate the menu as follows: Configuration --> System --> Servers --> Authentication

3. Modify the SDI servers

4. Change the Resend Settings as follows: Increase from the default value of 4 to a value between 7 and 25 seconds depending on network delays

5. Use the test authentication of the administration console to verify the problem is fixed

Background information:

The ACE/Server holds the auth attempt in queue for protection against a race challenge this is the Response Delay, which is the time in seconds that an authentication request is held before the response is returned to the Agent Host. This is used to trap certain kinds of attacks on networks where logins are performed over unencrypted telnet connections.  You must choose a value that is lower than the Agent Host Timeout value so the Agent Host does not retransmit the request before the server has had time to send the response.  Enter a value from 2 (default) to 15.

The Cisco timeout must be greater than the response delay by a significant amount to allow for the time to process and transmit the request.
Legacy Article IDa7170