SA520 SSL VPN Two Factor Authentication

Unanswered Question
Jul 31st, 2012

Hello Everybody,

Has anyone got any experience with two factor setup with Symantec VIP?

I just fined setting it up and VIP Service and SA520 seems to be synchronizing correctly but device doesnt direct VPN users for second authentication ? any ideas                  

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
doug_counsil@ya... Tue, 07/31/2012 - 19:49

I don't think Cisco supports Verisign VIP any longer.  And, I don't think Verisign knows about it yet.

Here are a couple of threads that I have opened regarding VIP.  We are experiencing the exact same issues as you.  The router seems to communicate with and update Verisign, but the router will not prompt for the 6-digit number after the SSL VPN user logs in.

https://supportforums.cisco.com/thread/2157584?tstart=0

https://supportforums.cisco.com/thread/2160657?tstart=60

I have tried and tried to get Cisco to support VIP, but they won't answer any questions about it here on the forums, nor is SBSC any help.  I called, opened a case (the guy didn't give a case number though), and they promised to call me back the next day.  They never did.

Our trial ends very shortly.  We will reset our SA540 to factory defaults a few days before the trial ends just in case our SA540 shoots craps when the trial expires.  We (or I actually) have kept detailed notes regarding all of our settings.  I just hope that our 3-year licenses for IPS and Trend Micro ProtectLink Web remain intact.

I wish I had better news for you.

preranda78 Tue, 07/31/2012 - 21:53

I just logged an TAC case and they advised me it should work but the TAC tech didnt have much knowledge of the device so he went looking for specilist for the device and suppose to get back to me tomorrow.will give you an update as soon as i have a reply

You should be able to get a back up of the current config from Administration Section

doug_counsil@ya... Wed, 08/01/2012 - 10:17

That's great.  We don't have access to TAC.  We purchased a 3-year support contract from CDW (online) for our SA540, but that doesn't give us access to TAC.  We have to go through CDW (I guess?) if we want something entered into TAC.

preranda78 Wed, 08/08/2012 - 21:45

Hey Curtis,Appearently its a Firmware issue and you need to contact TAC and obtain a working version of the Firmware.I just got mine sorted out by loading a beta version.Should have gone with lower end ASA series if i knew that this is going be such a pain

doug_counsil@ya... Wed, 08/08/2012 - 22:33

Thanks for the heads up.  I opened a case with the CSBC and received a beta version as well.  We loaded it a couple of days ago and re-configured our router, but we did not have time to jack with the Verisign VIP stuff.  What version did you get?  I got 2.2.0.3_1.  Just curious so I can make sure we are on the same version.

preranda78 Wed, 08/08/2012 - 23:47

Mine is 2.1.78 and the one i had was 2.1.78(this is the one that didnt work).when comparing to your 2.2.0.3_1 it seems like they have couple of major releases in between and i have no idea why they still giving away betas.something's just not right here

doug_counsil@ya... Thu, 08/09/2012 - 08:30

The firmware they provided you was probably compiled to fix your specific issue (at one time or another).  2.1.78 would be much less risky to implement in a production environment than 2.2.0.3_1!

We specifically requested the latest beta firmware that is being regression tested right now.

preranda78 Thu, 08/09/2012 - 15:39

yea that would be right as the Techo said they are planning to relase this version very soon but no ETA yet.hopefully woudnt have any more issues.

doug_counsil@ya... Thu, 08/09/2012 - 15:51

As discussed in several other threads, it is costly to release each firmware release.  Not only do you have the cost of performing the requirements, design, coding, and testing, you have the cost of writing the documentation, including the release notes and open source PDFs.

For the reason above, I hope they skip the 2.1.78 release and put all of their efforts into 2.2.0.x (including any bug fixes they implemented in 2.1.78), so it can be released sooner.  We are going on 3 days of running 2.2.0.3_1 and it seems to be a solid build.

I will let you know though if the Verisign VIP trial works as soon as I get the approval to implement it.

doug_counsil@ya... Sun, 08/12/2012 - 11:44

Well I took the time to re-try implementing Verisign VIP and it is still exhibiting the same behavior.  Using 'Pilot' doesn't work (I can't activate users), but 'Production' does.  Unfortunately users still aren't prompted to enter the 6 digit code after logging in though.

2.1.78 must have been built specifically to fix Verisign VIP.  Hopefully they implement the same fixes into the 2.2.0.x firmware.  In the meantime I will need to contact the CSBC to get 2.1.78. 

preranda78 Sun, 08/12/2012 - 16:39

2.1.78 does the same on validatation if you select Pilot and I raised the same question with the tech and he advised me that VIP is not a pilot anymore and the service they currently offer is a trial of the real thing.

doug_counsil@ya... Sun, 08/12/2012 - 17:24

Good to know.  Thanks.

I still can't get our SA540 to prompt for the 6 digit code after logging into SSL VPN.    I have emailed the level 2 tech assigned to my case.  I'll let you know what I find out.  The last thing we need is for the VIP *fix* in 2.1.78 to get lost when 2.2.0.x goes live.

doug_counsil@ya... Tue, 08/21/2012 - 17:50

Tech Support sent me a link for 2.1.78.  I don't think I will have the opportunity to deploy the new firmware for a few weeks.  I'll keep you guys' posted on whether or not I can get Verisign VIP to work with this firmware.

doug_counsil@ya... Thu, 08/23/2012 - 17:28

I got the approval to deploy the new firmware Tuesday night.  On both Wednesday and Thursday mornings no one could access the Internet.  On Wednesday morning rebooting our cable modem fixed the issue.  This morning rebooting the cable modem didn't fix it.  I had to reboot the SA540 as well.

On Wednesday morning the SA540 showed that the WAN was down.  This morning it showed that the WAN was up.

I had to perform an emergency deployment of the previous firmware and re-configure the router from scratch (which I always do after deploying new firmware).

We never got to test, or even turn on, Verisign VIP. 

doug_counsil@ya... Mon, 10/08/2012 - 12:08

We deployed Beta firmware version 2.2.0.7 this weekend.  Verisign VIP has been fixed in this release.

Just FYI...

Actions

Login or Register to take actions

This Discussion

Posted July 31, 2012 at 6:51 PM
Stats:
Replies:16 Avg. Rating:
Views:1882 Votes:0
Shares:0

Related Content

Discussions Leaderboard