|Applies To||RSA ACE/Server|
RSA Authentication Manager
Cisco VPN 3000 Concentrator
|Issue||First authentication successful, node secret sent to client, but cannot authenticate again to Cisco VPN|
Node secret sent to client
"PASSCODE accepted" then Error: "ACCESS DENIED, PASSCODE Incorrect", then "ACCESS DENIED, AUTH LOCK ERROR" appears in ACE/Server log monitor or application log
|Cause||The Concentrator sent a second request for authentication prior to the ACE/Server releasing the first authentication successful message to the concentrator|
|Resolution||Try changing the Cisco timeout, default is 4 increase it to a value anywhere from 7 to 25, this will allow the user authentication to wait up to 7-25 seconds for the ACE/Server to reply to the authentication prior to the concentrator attempting a second authentication request that will lock out your user.|
1. Open the Web Administration Console on the Cisco Concentrator
2. Navigate the menu as follows: Configuration --> System --> Servers --> Authentication
3. Modify the SDI servers
4. Change the Resend Settings as follows: Increase from the default value of 4 to a value between 7 and 25 seconds depending on network delays
5. Use the test authentication of the administration console to verify the problem is fixed
The ACE/Server holds the auth attempt in queue for protection against a race challenge this is the Response Delay, which is the time in seconds that an authentication request is held before the response is returned to the Agent Host. This is used to trap certain kinds of attacks on networks where logins are performed over unencrypted telnet connections. You must choose a value that is lower than the Agent Host Timeout value so the Agent Host does not retransmit the request before the server has had time to send the response. Enter a value from 2 (default) to 15.
The Cisco timeout must be greater than the response delay by a significant amount to allow for the time to process and transmit the request.
|Legacy Article ID||a7170|