This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Cisco AnyConnect sends multiple authentication requests to RSA Authentication Manager 8.4

Article Number

000038106

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4

Issue

Cisco AnyConnect sends multiple authentication requests to RSA Authentication Manager resulting in the Authentication Manager accepting the first one and rejecting the other requests, so the client connects to the VPN for a very short period then disconnects a few seconds later.

In the authentication activity monitor there are multiple authentication requests. The first one succeeds and the other ones show messages such as  passcode reuse or previous tokencode used.  This issue is confirmed by tcpdump at the Authentication Manager using the following commands:
  1. SSH to the RSA Authentication Manager instance.
  2. Login as rsaadmin and enter OS credentials.
  3. Change to the root user.
  4. Navigate to /usr/bin.
  5. Run tcpdump.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Mon Jan  6 17:52:35 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p: sudo su -
rsaadmin's password: <enter operating system password>
am82p:~ # cd /usr/bin
am82p:/usr/bin # tcpdump -i eth0 -s 1514 -Z root -w /tmp/capture.cap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
  1. Test authentication through the Cisco AnyConnect.
  2. When done, navigate to /tmp and change file permissions.
am82p:/usr/bin # cd /tmp
am82p:/tmp # ls -al capture.cap
-rw-r--r-- 1 root root 1618 Jan  6 19:19 capture.cap
am82p:/tmp # chmod 777 capture.cap
  1. Copy the capture to your PC and open it using Wireshark.
  2. Search for a duplicate request in the packet capture.

 

Cause

The Cisco AnyConnect profile authentication timeout is set to a value which does not allow the Access-Accept packet from the Authentication Manager reach the Cisco AnyConnect before it sends another request which as expected is rejected by the Authentication Manager.

Resolution

  1. Login to the Cisco ASDM.
  2. Browse to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile and click to Edit the appropriate profile.
  3.  Open the Preferences (Part 2) tab, set the Authenticate Timeout to 60
This fixes the issue as the authentication requests are only sent again after 60 seconds of the last authentication request.
 
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 12:36 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.