SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

AnyConnect VPN Authentication Failure

I am having some trouble with a new setup for Cisco ASA AnyConnect Authentication. We are running 9.6(3) on our ASA, with Authentication Manager v. 8.2.


We pulled our AD structure in for our user source, and they are currently in SystemDomain by default. When I try to use the SecurID soft token with my pin to generate a passcode for AnyConnect, the monitor reports:



User "username" attempted to authenticate using authenticator "SecurID_Native". The user belongs to security domain "SystemDomain".


This says to me I haven't tied those two items (the authenticator and the security domain) together somehow. What have I missed?


Here is the full output from the console:


Date & Time: 2017-09-01 15:44:21.934
Log Level: ERROR
Activity Key: Principal authentication
Description: User “bdecker” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain”
Action Result Key: Failure
Result: Authentication method failed
User ID: username
User First Name: Bryan
User Last Name: Decker
User Security Domain: SystemDomain
User Identity Source Name: Non GC Active Directory
Agent Type: 7
Agent Name:
Agent IP:
Agent Security Domain: SystemDomain
Authentication Method: SecurID_Native
Policy Expression: N/A
Argument 2: 5
Argument 3: 1
Argument 4: N/A
Argument 5: N/A
Argument 6: N/A
Argument 7: N/A
Argument 8: N/A
Argument 9: N/A
Argument 10: N/A
Instance Name:
Client IPv4:
Client IPv6: N/A
Server Node IP:
Additional Information: N/A
Actor GUID: 5e47325d0d00150a3cabfc244caa677d
Session ID: b79a3e020d00150a33c0c55e3898d8eb-zrEx2kzqbYug
Agent GUID: a0e2bd7b0d00150a2d58be1fd560731f
9 Replies
New Contributor New Contributor
New Contributor

Hi Brian,


This error is pretty generic and doesn't mean  that there is something wrong with the location of the users and tokens in the security domain. Probably you have something wrong with your token, either it's out of sync or maybe the pin is not correct. Best thing to do is to test the authentication on the self-service portal. It has the same URL of the security console but ends with console-selfservice instead of console-ims. If this fails as well then you probably will need to open a support case to do a live troubleshooting,


Best Regards,

Nada Khaled

Employee (Retired) Employee (Retired)
Employee (Retired)

Bryan Decker‌,


For future reference, the following is not an error message:


          User “bdecker” attempted to authenticate using authenticator “SecurID_Native.”

          The user belongs to security domain “SystemDomain.”  


That message in the Description field is just explains what was happening.  You tried to authenticate to the Authentication Manager server using the SecurID Native protocol and you exist in the SystemDomain security domain.  The reason why the authentication failed is shown in the Action Result Key and Result Key fields, that is AUTHN_METHOD_FAILED and Authentication method failed.


As Nada Khaled‌ mentioned, that error can display for several reasons.  Confirming the token is working through the Self-Service console is a good place to start.  If it works, we know the time offset between the token and the server is correct and we can look at other causes.  If it fails, you may want to try to Resynchronize a Token and test the ASA again.



If the ASA is new, please check the Cisco Systems Inc. - Technology Integrations implementation guide for the ASA to ensure your configuration is correct.  One thing that might cause the authentication method failed error is if the ASA has multiple IP addresses.  If you set up your authentication agent information in the Security Console for IP address and the traffic is coming from the ASA on, authentication will fail.  On the ASA, confirm all of the IP addresses that belong to it.  Once you have the list, go back to the agent record in the Security Console (Access > Authentication Agent > Manage Existing) and go through the list of all of the IP addresses.  Make the change, save the agent update and test the ASA with the real time authentication activity monitor (Reporting > Real Time > Authentication Activity Monitor) open to see how the authentication request is handled by the server.



Apprised Contributor Apprised Contributor
Apprised Contributor

Since it says 'new' then I assume the node secret is not yet created.

I could not find this KB on Link, but KB 29015 - Why does an IP address override fix an Initial authentication failures with
no details: "Authentication Method Failed" 

explains why this has failed, and how you might fix it.

Employee (Retired) Employee (Retired)
Employee (Retired)

Bryan Decker‌,


The article Jay Guillette‌ noted was marked internal so not available on RSA Link.  I've  reviewed it and  made it public.  You can see it at .





Well, it isn't getting any better. 

The self-service portal also failed, giving essentially the same output in the event monitor. I tried to resynchronize the token and got this:



The ASA IP address is correct. For what it's worth, the output in the event monitor is entirely different when you have the wrong IP on the authentication agent. It reports back:



Rather than the event message I am getting.


So, i am going to work on Jay's suggestion now, and see how much progress I can make.


And now I am having trouble generating a node secret. It's kicking back a length issue related to the realm default password policy, but with the "RSA Initial Password Policy" being the only one, and generating a 32 character password, I'm not sure why it's failing.



Even though Cisco ASA guide says sdopts.rec not implemented, you can still use one, you just have to create it yourself and put it in the same place as where the node secret and status files would go, in Memory.

Your sdopts.rec should have 



I really feel like i'm missing some key parts here. I'm going to go back, review the settings and documentation for initial setup and start over. Thanks everyone!


Bryan Decker‌,


If you are still having an issue with the ASA, please and work with a support engineer.  They would be happy  to assist.