This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
WalidAbdallah
Occasional Contributor
Occasional Contributor
‎2020-09-09 02:13 PM

passcode reuse or previous tokencode

Hello,

 

We migrated some users to a different appliance recently, and they are facing authentication issues. The logs show a successful authentication, immediately followed by "passcode reuse or previous tokencode" and " Bad Tokencode but good PIN detected".

 

They are using the correct pin and the correct token from the mobile app, so not sure what is happening here.

 

Would this be be an RSA or a VPN issue? As we could not determine any issues with either so far.

 

Thank you for your time.

0 Likes
Reply
5 Replies
StevenSpicer
Valued Contributor Valued Contributor
Valued Contributor
‎2020-09-09 04:33 PM

It sounds like the agent is retransmitting the auth request, where the first auth works and the second one causes the errors you see.  Without knowing more info about your system (RADIUS or a built-in UDP agent?) it's hard to tell exactly what is wrong -- I recommend opening a case with RSA support to go over your logs and configs in a less-public forum.  If you need help opening a case, start here: https://community.rsa.com/docs/DOC-1294 

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2020-09-09 05:21 PM

Look at the number of seconds between the first successful authentication, and the second failed reuse authentication.  Steve is right about the re-transmission of the original authentication request, but if it is less than a second later, that could indicate a bug, or a problem with a High Availability pair of Agents 'accidentally' both sending the authentication the authentication.  It could even be a loop in your network, though that is rare nowadays.

 

If the reuse authentication is from 2-5 seconds after the first authentication, that could be a simple configuration error, that did not allow enough time for the first request to be answered before it re-transmitted the same request.  Most authentications need at least 5 seconds to fully complete, busy or oversubscribed AM servers might need 6 seconds.

 

There is a tcpdump utility in Linux on all AM servers, so you could capture all authentication traffic and compare the initial authentication with the reuse authentication, to compare details like source MAC or IP address, or IP layer ID and checksum to determine if the second request were caused by a layer 2 (Spanning Tree) loop or by a layer 3 routing or configuration issue.

Reply
EdwardDavis
Employee
Employee
‎2020-09-10 08:07 AM

Migrating between servers also triggers this if the clock on one system or the other is not exactly set the same. So, the user is entering the correct code, but the system has an inaccurate clock and thinks the codes are already stale.

UTC time must always be actual UTC. On command line check it with date -u. 

Reply
WalidAbdallah
Occasional Contributor
Occasional Contributor
‎2020-09-10 12:12 PM

Thank you very much Steven, Jay, and Edward for your replies. I will follow your recommendations and open a case if needed.

0 Likes
Reply
itgroupAR
New Contributor
New Contributor
In response to WalidAbdallah
‎2022-05-30 07:50 PM

Hello, we are facing the exact same issue. If you found a solution could you please share it here

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.