SA520 SSL VPN Two Factor Authentication

Unanswered Question
Jul 31st, 2012

Hello Everybody,

Has anyone got any experience with two factor setup with Symantec VIP?

I just fined setting it up and VIP Service and SA520 seems to be synchronizing correctly but device doesnt direct VPN users for second authentication ? any ideas                  

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

I don't think Cisco supports Verisign VIP any longer.  And, I don't think Verisign knows about it yet.

Here are a couple of threads that I have opened regarding VIP.  We are experiencing the exact same issues as you.  The router seems to communicate with and update Verisign, but the router will not prompt for the 6-digit number after the SSL VPN user logs in.

https://supportforums.cisco.com/thread/2157584?tstart=0

https://supportforums.cisco.com/thread/2160657?tstart=60

I have tried and tried to get Cisco to support VIP, but they won't answer any questions about it here on the forums, nor is SBSC any help.  I called, opened a case (the guy didn't give a case number though), and they promised to call me back the next day.  They never did.

Our trial ends very shortly.  We will reset our SA540 to factory defaults a few days before the trial ends just in case our SA540 shoots craps when the trial expires.  We (or I actually) have kept detailed notes regarding all of our settings.  I just hope that our 3-year licenses for IPS and Trend Micro ProtectLink Web remain intact.

I wish I had better news for you.

Prabath Godevit... Tue, 07/31/2012 - 21:53

I just logged an TAC case and they advised me it should work but the TAC tech didnt have much knowledge of the device so he went looking for specilist for the device and suppose to get back to me tomorrow.will give you an update as soon as i have a reply

You should be able to get a back up of the current config from Administration Section

Prabath Godevit... Wed, 08/08/2012 - 21:45

Hey Curtis,Appearently its a Firmware issue and you need to contact TAC and obtain a working version of the Firmware.I just got mine sorted out by loading a beta version.Should have gone with lower end ASA series if i knew that this is going be such a pain

Thanks for the heads up.  I opened a case with the CSBC and received a beta version as well.  We loaded it a couple of days ago and re-configured our router, but we did not have time to jack with the Verisign VIP stuff.  What version did you get?  I got 2.2.0.3_1.  Just curious so I can make sure we are on the same version.

Prabath Godevit... Wed, 08/08/2012 - 23:47

Mine is 2.1.78 and the one i had was 2.1.78(this is the one that didnt work).when comparing to your 2.2.0.3_1 it seems like they have couple of major releases in between and i have no idea why they still giving away betas.something's just not right here

Prabath Godevit... Thu, 08/09/2012 - 15:39

yea that would be right as the Techo said they are planning to relase this version very soon but no ETA yet.hopefully woudnt have any more issues.

As discussed in several other threads, it is costly to release each firmware release.  Not only do you have the cost of performing the requirements, design, coding, and testing, you have the cost of writing the documentation, including the release notes and open source PDFs.

For the reason above, I hope they skip the 2.1.78 release and put all of their efforts into 2.2.0.x (including any bug fixes they implemented in 2.1.78), so it can be released sooner.  We are going on 3 days of running 2.2.0.3_1 and it seems to be a solid build.

I will let you know though if the Verisign VIP trial works as soon as I get the approval to implement it.

Well I took the time to re-try implementing Verisign VIP and it is still exhibiting the same behavior.  Using 'Pilot' doesn't work (I can't activate users), but 'Production' does.  Unfortunately users still aren't prompted to enter the 6 digit code after logging in though.

2.1.78 must have been built specifically to fix Verisign VIP.  Hopefully they implement the same fixes into the 2.2.0.x firmware.  In the meantime I will need to contact the CSBC to get 2.1.78. 

Prabath Godevit... Sun, 08/12/2012 - 16:39

2.1.78 does the same on validatation if you select Pilot and I raised the same question with the tech and he advised me that VIP is not a pilot anymore and the service they currently offer is a trial of the real thing.

I got the approval to deploy the new firmware Tuesday night.  On both Wednesday and Thursday mornings no one could access the Internet.  On Wednesday morning rebooting our cable modem fixed the issue.  This morning rebooting the cable modem didn't fix it.  I had to reboot the SA540 as well.

On Wednesday morning the SA540 showed that the WAN was down.  This morning it showed that the WAN was up.

I had to perform an emergency deployment of the previous firmware and re-configure the router from scratch (which I always do after deploying new firmware).

We never got to test, or even turn on, Verisign VIP. 

Actions

This Discussion

Related Content