We help IT Professionals succeed at work.

Cisco VPN client and error 413 (user authentication failed) with RSA SecurID

FWeston
FWeston asked
on
15,276 Views
Last Modified: 2012-05-05
I have an ASA 5510 that I use to provide VPN access to my HQ network.  The authentication for the VPN users is handled by an RSA SecurID appliance.  Ever since we started using SecurID for auth (we previously used AD) we've had some issues with the auth failing if you try to connect more than once.

For example, if I connect to VPN it works fine, but if I disconnect and attempt to reconnect, it immediately gives me error 413 - user authentication failed.  If I close the VPN client and relaunch it, it will work again.  This also happens if I launch the VPN client, click connect, press cancel when it prompts for auth, and then click connect again...instead of prompting for auth, it immediately says auth failed.   Again, closing and relaunching the VPN client is all that is needed to resolve the issue, but a lot of our users don't think to try this, so it leads to a lot of calls to the helpdesk.

If we use AD for auth, this problem goes away, so it must be something to do with the SecurID system and the way the ASA talks to it.  We're running version 5.0.00.0340 of the Cisco IPSec VPN client, and the same problem also occurs with version 4.6.  We use the SDI auth protocol between the ASA and SecurID appliance.  We have support agreements for both devices, but Cisco and RSA each say the problem is with the other device.
Comment
Watch Question

Cyclops3590Sr Software Engineer
CERTIFIED EXPERT

Commented:
at my company I know each SecurID OTP changes every minute and can ONLY be used once per minute.  Does your ID change to a different OTP when you log in again?  Try waiting until the OTP changes again without relaunching the client.

you still may want to check your SecurID settings though to see if something is set so you're only allowed to login so many times within a certain amount of time.

Author

Commented:
Sorry, I guess I wasn't clear.  It does this even if I cancel the connect before putting in a password and then try to reconnect.  The ASA shouldn't even be sending a request for AAA authentication to the SecurID appliance yet, so it's gotta be some kind of Cisco/SDI issue..
Cyclops3590Sr Software Engineer
CERTIFIED EXPERT

Commented:
what do the logs on the ASA say when you move it to debug level and repeat the process.  Sounds like it gets cached.
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.