Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

SecurID fails after re-ip addressing ASA

So I learned something new about SDI (RSA securID) yesterday. So I put a new ASA in parallel to an old Pix. I pointed my new ASA over to their brand new RSA server. Then when we moved the ASA into the same IP space as the PIX, everything worked except for RSA authentication. We checked DNS and the ‘agent hosts’ on the RSA and everything seemed correct. Then I read about the sdi file on the flash of an ASA. So what happens is on the first authentication, the RSA hands down an sdi file to the ASA and this becomes the shared key between the 2 devices. The only problem that I found was that the file contains the inside IP of the ASA. So when I changed my inside IP of the my ASA to the IP of the PIX, that sdi file was now invalid. The way to fix it was to simply delete the file.

Error message on the RSA was “node verification failed.”


vpn(config)# dir
Directory of disk0:/

6 drwx 8192 09:18:46 May 31 2008 crypto_archive
91 -rwx 14635008 03:08:24 Aug 12 2008 asa803-k8.bin
92 -rwx 6851212 03:10:56 Aug 12 2008 asdm-603.bin
2 drwx 8192 03:14:44 Aug 12 2008 log
93 -rwx 2153344 11:33:12 Aug 12 2008 anyconnect-win-2.2.0136-k9.pkg
99 -rwx 512 19:01:08 Aug 13 2008 10-100-1-20.sdi

Version history
Revision #:
1 of 1
Last update:
‎06-09-2009 03:57 AM
Updated by:
 
Labels (1)