I have been setting it in the client profile. I see that the server timeout can be set in the AAA server group, but my issue is that the AnyConnect client times out before th second part of the two factor authentication can occur.

I looked in the event viewer on the client and anyconnect reports that the timeout of 180s is beyond the allowed range, so it is defaulting to the 12 seconds. I am not sure where it is getting the 180s from, as I do not have that set in the client profile. I am wondering if it is using an older config and not updating with the new profile?

I think I am now talking to myself, but hopefully this helps someone else someday!

The profiles located in C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile were not updated. The client was using both the wrong profile AND an outdated profile. I modified the profile locally and the client worked fine. Now I need to determine why the client profile's are not being downloaded.

Patrick,

I am glad to hear that it now works as expected.

Check the config of the ASA and make sure you have assigned the correct profile to the group-policy.

Thanks.

I have checked and double checked the settings and the proper client profile is chosen. When AnyConnect talks to the firewall though, it is not updating the profiles. Either the client is not trying to download them, or the ASA is sending the wrong info.

Yep. I removed them from my machine. I also fixed the profile Iw as trying to use. I misconfigured the host info, so it was unable to connect on that profile. I am wondering if it jumps to the next profile in the folder to see if that works, which is why it was not using the intended profile?

I have it working properly now and updating the profile properly. All is right in the world.

Thanks for the help Javier!