Cisco VPN client and error 413 (user authentication failed) with RSA SecurID
Posted on 2008-11-10
I have an ASA 5510 that I use to provide VPN access to my HQ network. The authentication for the VPN users is handled by an RSA SecurID appliance. Ever since we started using SecurID for auth (we previously used AD) we've had some issues with the auth failing if you try to connect more than once.
For example, if I connect to VPN it works fine, but if I disconnect and attempt to reconnect, it immediately gives me error 413 - user authentication failed. If I close the VPN client and relaunch it, it will work again. This also happens if I launch the VPN client, click connect, press cancel when it prompts for auth, and then click connect again...instead of prompting for auth, it immediately says auth failed. Again, closing and relaunching the VPN client is all that is needed to resolve the issue, but a lot of our users don't think to try this, so it leads to a lot of calls to the helpdesk.
If we use AD for auth, this problem goes away, so it must be something to do with the SecurID system and the way the ASA talks to it. We're running version 5.0.00.0340 of the Cisco IPSec VPN client, and the same problem also occurs with version 4.6. We use the SDI auth protocol between the ASA and SecurID appliance. We have support agreements for both devices, but Cisco and RSA each say the problem is with the other device.