locked
Cisco AnyConnect VPN Client fails before receiving phone call RRS feed

  • Question

  • Hello,

    I am running Cisco Any connect secure Mobility Client ( version 3.1.04072). In my production environment, I have a Cisco 5515 firewall and I am running the Multifactor authentication server on a DC behind the firewall. When I run the client and enter my domain credentials, my phone does start to ring in a few seconds. However, before I can click the # key the VPN client already tells me "the connection attempt has failed".

    When I look in the logs, I see the following:

    Got Response.
    2015-11-11T18:30:50.014905Z|0|2780|7020|pfAuth|authenticated = true
    2015-11-11T18:30:50.014905Z|i|2780|7020|pfsvc|Pfauth succeeded for user 'jdtest' from 71.16.60.51.  Call status: SUCCESS_NO_PIN - "Only # Entered".
    2015-11-11T18:30:52.823601Z|0|2780|324|pfAuth|Got Response.
    2015-11-11T18:30:52.823601Z|0|2780|324|pfAuth|authenticated = false
    2015-11-11T18:30:52.823601Z|i|2780|324|pfsvc|Pfauth failed for user 'jdtest' from 71.16.60.51.  Call status: FAILED_PHONE_BUSY - "Auth Already In Progress". 

    I did some research on "auth already in progress" and found a link stating:

    "Multi-Factor Authentication is already processing an authentication for this user.  This is often caused by RADIUS clients that send multiple authentication requests during the same sign on."

    Is anybody familiar with this error and what the correct radius configuration for the ASA Firewall should be?

    Please advise,

    Thank you for your time.

    john

     

    Wednesday, November 11, 2015 6:33 PM

Answers

  • There are a couple of things you should do:

    1. The AnyConnect client has a default timeout of 12 seconds. You will need to update the Authentication Timeout in the AnyConnect client profile to be something longer such as 45-60 seconds.

    2. It sounds like the ASA is sending multiple RADIUS requests to the MFA Server before receiving a response from the first request. Make sure you have configured an appropriate 45-60 second timeout in the ASA's RADIUS settings. Also, you can go into the MFA Management Portal and configure a short cache. 15 seconds should be sufficient. Cisco ASA should be providing the client IP in attribute 66 of the RADIUS request so you should be OK creating the cache for "User, Authentication Type, Application Name, IP" which is the most secure. That way, after the MFA for the first request succeeds, the addition requests that have come from the ASA will also receive a successful response due to "Used cache" instead of a denial to due "Auth already in progress". That way, if the ASA is only listening for a response to the last request it sent and no longer listening for a response to the first request, it will get a success and allow the connection to complete.

    Tuesday, November 17, 2015 5:58 PM

All replies

  • Hello John,

     

    We are researching on the query and would get back to you soon on this. I apologize for the inconvenience and appreciate your time and patience in this matter.

     

    Best Regards,

    Kamalakar K

    Thursday, November 12, 2015 10:18 AM
  • There are a couple of things you should do:

    1. The AnyConnect client has a default timeout of 12 seconds. You will need to update the Authentication Timeout in the AnyConnect client profile to be something longer such as 45-60 seconds.

    2. It sounds like the ASA is sending multiple RADIUS requests to the MFA Server before receiving a response from the first request. Make sure you have configured an appropriate 45-60 second timeout in the ASA's RADIUS settings. Also, you can go into the MFA Management Portal and configure a short cache. 15 seconds should be sufficient. Cisco ASA should be providing the client IP in attribute 66 of the RADIUS request so you should be OK creating the cache for "User, Authentication Type, Application Name, IP" which is the most secure. That way, after the MFA for the first request succeeds, the addition requests that have come from the ASA will also receive a successful response due to "Used cache" instead of a denial to due "Auth already in progress". That way, if the ASA is only listening for a response to the last request it sent and no longer listening for a response to the first request, it will get a success and allow the connection to complete.

    Tuesday, November 17, 2015 5:58 PM
  • Shawn I am having the same issue where the MFA servers are sending multiple authentication requests and certain users are getting multiple phone calls or mobile notifications per request. I see sometimes up to 8 Auth already in progress for the same user per connection. This happens for different RADIUS clients. 
    Wednesday, April 13, 2016 5:52 PM