when some users are trying to authenticate to vpn using a hardware fob, they enter their information then are required to enter the next token number even though they just went through this. The second time they do not add their pin just the token code
There are two reasons a user entering a passcode can get prompted for a Next Token Code, NTC
1. They have failed a number of passcode authentications with that token - Security Console - Auth - Policy - Tokens
2. The TokenCode that was entered (Passcode=TokenCode+PIN) is slightly outside of the Window of acceptable tokencodes for that specific time.
This Window of acceptable Tokencodes can be thought of in terms of minutes, as in every code on a 60-second Token like most Hardware Fobs is equal to a minute, and the AM servers are the time keepers.
Assume it is 10:09am EST on your AM Server, and your FOB user enters his PIN+Tokencode, the AM server calculates the tokencodes for 10:08am, 10:09am and 10:10am for every token assigned to that UserID (truth be told, AM uses GMT so calculates the codes for 3:08pm, 3:09pm, 3:10pm UTC - but you get the picture) and compares all those codes to the code your user entered, and if there is a match, user success!
In this case, the NTC is kind of a "close, but not a winner" tokencode, e.g. the code for 8:08am or 8:11am was entered (which means AM also calculated those codes too).
Have a look at 000029685 - Explanation of Next Tokencode Mode and Small, Medium and Large authentication windows in RSA Authentication … for some more details
Remember, the AM server is always right as far as time is concerned for TokenCodes, even if your NTP is wrong! So check that.
Unfortunately hardware tokens do not have adjustable windows, so you will need to ensure that time is accurate on the
AM servers to prevent unnecessary NTCs