Cisco VPN client and error 413 (user authentication failed) with RSA SecurID

Posted on 2008-11-10
Last Modified: 2012-05-05
I have an ASA 5510 that I use to provide VPN access to my HQ network.  The authentication for the VPN users is handled by an RSA SecurID appliance.  Ever since we started using SecurID for auth (we previously used AD) we've had some issues with the auth failing if you try to connect more than once.

For example, if I connect to VPN it works fine, but if I disconnect and attempt to reconnect, it immediately gives me error 413 - user authentication failed.  If I close the VPN client and relaunch it, it will work again.  This also happens if I launch the VPN client, click connect, press cancel when it prompts for auth, and then click connect again...instead of prompting for auth, it immediately says auth failed.   Again, closing and relaunching the VPN client is all that is needed to resolve the issue, but a lot of our users don't think to try this, so it leads to a lot of calls to the helpdesk.

If we use AD for auth, this problem goes away, so it must be something to do with the SecurID system and the way the ASA talks to it.  We're running version of the Cisco IPSec VPN client, and the same problem also occurs with version 4.6.  We use the SDI auth protocol between the ASA and SecurID appliance.  We have support agreements for both devices, but Cisco and RSA each say the problem is with the other device.
Question by:FWeston
    LVL 25

    Expert Comment

    at my company I know each SecurID OTP changes every minute and can ONLY be used once per minute.  Does your ID change to a different OTP when you log in again?  Try waiting until the OTP changes again without relaunching the client.

    you still may want to check your SecurID settings though to see if something is set so you're only allowed to login so many times within a certain amount of time.
    LVL 3

    Author Comment

    Sorry, I guess I wasn't clear.  It does this even if I cancel the connect before putting in a password and then try to reconnect.  The ASA shouldn't even be sending a request for AAA authentication to the SecurID appliance yet, so it's gotta be some kind of Cisco/SDI issue..
    LVL 25

    Expert Comment

    what do the logs on the ASA say when you move it to debug level and repeat the process.  Sounds like it gets cached.
    LVL 2

    Accepted Solution

    We had the 413 error problem using Cisco VPN version 5.0.0 and versions 4.6 and 4.7.  Cisco recommended we move to version  That was only part of the solution.  The ASA 5540 concentrators also had to be upgraded to 8.0.4 code.  That eliminated the problem.  What you are describing is exactly what we experienced.  The 413 error appeared when you clicked connect.  Didn't even get prompted for a login and that error message appeared.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now