RSA password change

Unanswered Question
May 21st, 2010

I have the ASA configured to use RSA tokens when connecting with VPN. The people are not allowed to change the pin when expired or new creation through the vpn.

error from VPN client version

Secure VPN Connection terminated by peer.

Reason 427: Unknown Error Occured at Peer.

Attached is the log from the VPN Client.

AAA config:

aaa-server SDI_Server protocol sdi
aaa-server SDI_Server (inside) host x.x.x.x
aaa-server SDI_Server (inside) host x.x.x.x

group-policy Remote_PCI_Auditors_VPN internal
group-policy Remote_PCI_Auditors_VPN attributes
dns-server value x.x.x.x x.x.x.x

vpn-tunnel-protocol IPSec
default-domain value

address-pools value Remote_PCI_Auditors_VPN_Pool

tunnel-group Remote_PCI_Auditors_VPN type remote-access
tunnel-group Remote_PCI_Auditors_VPN general-attributes
address-pool Remote_PCI_Auditors_VPN_Pool
authentication-server-group SDI_Server
default-group-policy Remote_PCI_Auditors_VPN
tunnel-group Remote_PCI_Auditors_VPN ipsec-attributes
pre-shared-key *

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
altarum-kmoore Fri, 05/28/2010 - 12:19

We have an RSA server in a network that we manage.

How are you querying the user information?  Are you using LDAP to pull user information from a directory?

When we had it installed, or contractor told us that we had to have LDAPS implemented if a user wanted to change their password through the RSA box.  We had to install a certificate (we got Verisign) to make it work.

We have it up and running and have password resets working as well.

Nicholas Wysocki Sun, 06/06/2010 - 17:24

It is working. the problem was not our setup, but on the user end. their internet was slow going across the country and it was timming out.

Mudasir Abbas Sat, 06/05/2010 - 04:02


Please have a look on my configs, Am I missing something coz its not working

aaa-server RSA protocol sdi
aaa-server RSA (Inside) host
timeout 5

group-policy XXX attributes
dns-server value
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSS-SPLIT
default-domain value
address-pools value Alsaeed_pool
  svc mtu 1374

tunnel-group SSS type remote-access
tunnel-group SSS general-attributes
address-pool Alsaeed_pool
authentication-server-group RSA
default-group-policy XXX
tunnel-group XXX webvpn-attributes
proxy-auth sdi
group-alias XXX enable
tunnel-group SSS ipsec-attributes
pre-shared-key *

Debug sdi

sdi mkreq: 0x4119a
sip_lookup: sip with id 266650 not found
alloc_sip 0xcd219080
    new request 0x4119a --> 0 (0xcd219080)
New SIP state: SDI_NEW (loc 1359)
add_req 0xcd219080 session 0x4119a id 197
init_ace_server: handle 3391925493, server_id 129, server_addr, sess_id 266650
New SIP state: SDI_WAIT_INIT_RESP (loc 1000)
In sdi_callback: handle 3391925493, error code 1, sdi_status 0, sess_id 266650, state: 1
New SIP state: SDI_WAIT_LOCK_RESP (loc 1013)
turnaround_time - idx: 0, time: 1
In sdi_callback: handle 3391925493, error code 1, sdi_status 0, sess_id 266650, state: 2
New SIP state: SDI_ERROR (loc 1041)
New SIP state: SDI_DELETE (loc 1146)
remove_req 0xcd219080 session 0x4119a id 197
free_sip 0xcd219080
sdi: send queue empty

Thanks & Regards

Mudasir Abbas


This Discussion