Cisco AnyConnect sends multiple authentication requests to RSA Authentication Manager resulting in the Authentication Manager accepting the first one and rejecting the other requests, so the client connects to the VPN for a very short period then disconnects a few seconds later.
In the authentication activity monitor there are multiple authentication requests. The first one succeeds and the other ones show messages such as passcode reuse or previous tokencode used. This issue is confirmed by tcpdump at the Authentication Manager using the following commands:
SSH to the RSA Authentication Manager instance.
Login as rsaadmin and enter OS credentials.
Change to the root user.
Navigate to /usr/bin.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Mon Jan 6 17:52:35 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p: sudo su -
rsaadmin's password: <enter operating system password>
am82p:~ # cd /usr/bin
am82p:/usr/bin # tcpdump -i eth0 -s 1514 -Z root -w /tmp/capture.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
Test authentication through the Cisco AnyConnect.
When done, navigate to /tmp and change file permissions.
am82p:/usr/bin # cd /tmp
am82p:/tmp # ls -al capture.cap
-rw-r--r-- 1 root root 1618 Jan 6 19:19 capture.cap
am82p:/tmp # chmod 777 capture.cap
Copy the capture to your PC and open it using Wireshark.
Search for a duplicate request in the packet capture.
The Cisco AnyConnect profile authentication timeout is set to a value which does not allow the Access-Accept packet from the Authentication Manager reach the Cisco AnyConnect before it sends another request which as expected is rejected by the Authentication Manager.
Login to the Cisco ASDM.
Browse to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile and click to Edit the appropriate profile.
Open the Preferences (Part 2) tab, set the Authenticate Timeout to 60
This fixes the issue as the authentication requests are only sent again after 60 seconds of the last authentication request.