Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

SA520 SSL VPN Two Factor Authentication

Hello Everybody,

Has anyone got any experience with two factor setup with Symantec VIP?

I just fined setting it up and VIP Service and SA520 seems to be synchronizing correctly but device doesnt direct VPN users for second authentication ? any ideas                  

16 REPLIES
New Member

SA520 SSL VPN Two Factor Authentication

I don't think Cisco supports Verisign VIP any longer.  And, I don't think Verisign knows about it yet.

Here are a couple of threads that I have opened regarding VIP.  We are experiencing the exact same issues as you.  The router seems to communicate with and update Verisign, but the router will not prompt for the 6-digit number after the SSL VPN user logs in.

https://supportforums.cisco.com/thread/2157584?tstart=0

https://supportforums.cisco.com/thread/2160657?tstart=60

I have tried and tried to get Cisco to support VIP, but they won't answer any questions about it here on the forums, nor is SBSC any help.  I called, opened a case (the guy didn't give a case number though), and they promised to call me back the next day.  They never did.

Our trial ends very shortly.  We will reset our SA540 to factory defaults a few days before the trial ends just in case our SA540 shoots craps when the trial expires.  We (or I actually) have kept detailed notes regarding all of our settings.  I just hope that our 3-year licenses for IPS and Trend Micro ProtectLink Web remain intact.

I wish I had better news for you.

SA520 SSL VPN Two Factor Authentication

I just logged an TAC case and they advised me it should work but the TAC tech didnt have much knowledge of the device so he went looking for specilist for the device and suppose to get back to me tomorrow.will give you an update as soon as i have a reply

You should be able to get a back up of the current config from Administration Section

New Member

SA520 SSL VPN Two Factor Authentication

That's great.  We don't have access to TAC.  We purchased a 3-year support contract from CDW (online) for our SA540, but that doesn't give us access to TAC.  We have to go through CDW (I guess?) if we want something entered into TAC.

SA520 SSL VPN Two Factor Authentication

Hey Curtis,Appearently its a Firmware issue and you need to contact TAC and obtain a working version of the Firmware.I just got mine sorted out by loading a beta version.Should have gone with lower end ASA series if i knew that this is going be such a pain

New Member

SA520 SSL VPN Two Factor Authentication

Thanks for the heads up.  I opened a case with the CSBC and received a beta version as well.  We loaded it a couple of days ago and re-configured our router, but we did not have time to jack with the Verisign VIP stuff.  What version did you get?  I got 2.2.0.3_1.  Just curious so I can make sure we are on the same version.

SA520 SSL VPN Two Factor Authentication

Mine is 2.1.78 and the one i had was 2.1.78(this is the one that didnt work).when comparing to your 2.2.0.3_1 it seems like they have couple of major releases in between and i have no idea why they still giving away betas.something's just not right here

New Member

SA520 SSL VPN Two Factor Authentication

The firmware they provided you was probably compiled to fix your specific issue (at one time or another).  2.1.78 would be much less risky to implement in a production environment than 2.2.0.3_1!

We specifically requested the latest beta firmware that is being regression tested right now.

Re: SA520 SSL VPN Two Factor Authentication

yea that would be right as the Techo said they are planning to relase this version very soon but no ETA yet.hopefully woudnt have any more issues.

New Member

SA520 SSL VPN Two Factor Authentication

As discussed in several other threads, it is costly to release each firmware release.  Not only do you have the cost of performing the requirements, design, coding, and testing, you have the cost of writing the documentation, including the release notes and open source PDFs.

For the reason above, I hope they skip the 2.1.78 release and put all of their efforts into 2.2.0.x (including any bug fixes they implemented in 2.1.78), so it can be released sooner.  We are going on 3 days of running 2.2.0.3_1 and it seems to be a solid build.

I will let you know though if the Verisign VIP trial works as soon as I get the approval to implement it.

New Member

SA520 SSL VPN Two Factor Authentication

Well I took the time to re-try implementing Verisign VIP and it is still exhibiting the same behavior.  Using 'Pilot' doesn't work (I can't activate users), but 'Production' does.  Unfortunately users still aren't prompted to enter the 6 digit code after logging in though.

2.1.78 must have been built specifically to fix Verisign VIP.  Hopefully they implement the same fixes into the 2.2.0.x firmware.  In the meantime I will need to contact the CSBC to get 2.1.78. 

SA520 SSL VPN Two Factor Authentication

2.1.78 does the same on validatation if you select Pilot and I raised the same question with the tech and he advised me that VIP is not a pilot anymore and the service they currently offer is a trial of the real thing.

New Member

SA520 SSL VPN Two Factor Authentication

Good to know.  Thanks.

I still can't get our SA540 to prompt for the 6 digit code after logging into SSL VPN.    I have emailed the level 2 tech assigned to my case.  I'll let you know what I find out.  The last thing we need is for the VIP *fix* in 2.1.78 to get lost when 2.2.0.x goes live.

New Member

SA520 SSL VPN Two Factor Authentication

preranda78,

Please read your Private Messages.

New Member

SA520 SSL VPN Two Factor Authentication

Tech Support sent me a link for 2.1.78.  I don't think I will have the opportunity to deploy the new firmware for a few weeks.  I'll keep you guys' posted on whether or not I can get Verisign VIP to work with this firmware.

New Member

SA520 SSL VPN Two Factor Authentication

I got the approval to deploy the new firmware Tuesday night.  On both Wednesday and Thursday mornings no one could access the Internet.  On Wednesday morning rebooting our cable modem fixed the issue.  This morning rebooting the cable modem didn't fix it.  I had to reboot the SA540 as well.

On Wednesday morning the SA540 showed that the WAN was down.  This morning it showed that the WAN was up.

I had to perform an emergency deployment of the previous firmware and re-configure the router from scratch (which I always do after deploying new firmware).

We never got to test, or even turn on, Verisign VIP. 

New Member

SA520 SSL VPN Two Factor Authentication

We deployed Beta firmware version 2.2.0.7 this weekend.  Verisign VIP has been fixed in this release.

Just FYI...

2353
Views
0
Helpful
16
Replies