Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
29117
Views
30
Helpful
18
Replies

Premature timeout using Cisco AnyConnect with Phonefactor 2-factor authentication

gordons
Level 1
Level 1

‎11-01-2011 11:58 AM - edited ‎02-21-2020 05:41 PM

We have an ASA 5510 that handles our vpn client traffic, and occasionally, we run into a client that, while using Cisco AnyConnect in conjunction with Phonefactor, the connection attempt will timeout before the connection actually establishes.

The odd thing is - The logs show the client finished connecting, and the Phonefactor server shows completed authentication.  We even added a custom timeout script to increase the default 12 second timeout to 30 seconds.

This behavior has proven difficult to find a common factor for, as it has affected different versions of the client, 2.3 and 2.5, as well as Windows XP, Vista and 7 installs. 

This problem does not affect our Anyconnect/RSA clients, and if the same person on the same client with the issue is migrated over to the Cisco IPSec vpn, the problem disappears.

Has anyone encountered this issue before?

Thanks,

Gordon

4 people had this problem
Labels:
0 Helpful
18 Replies 18

Alemend88
Level 1
Level 1
In response to BK Rogers

‎05-29-2020 09:12 PM

This worked for me, thanks so much I have setup my timeout to 120 secs and after I configured the server list and push the xml file to the machine the timeout take the 120 secs

0 Helpful

bcoverstone
Level 1
Level 1
In response to BK Rogers

‎12-27-2020 10:20 AM

It's years later and this is still an issue, even for the newer v4 Anyconnect.  I entered a hostname and tried both IP or fqdn (DNS resolvable on the internet) and it still does not work. I also tried someone else's suggestion and added a group. This also required me to set up a group url to match the alias name. I was finally able to get groups working in the client profile, but still no dice on alleviating the 12 second timeout. This is very frustrating.

0 Helpful

Network713
Level 1
Level 1
In response to bcoverstone

‎02-25-2021 08:48 AM - edited ‎02-25-2021 01:55 PM

I had to do this recently and figured it out.  There's another timeout you need to adjust.

ISSUE 02:  MFA users have to hit approved in MFA within 10 seconds but seems like 3 sec. or else it fails and they get prompted for pw again.

 

FIX 02:  ASDM > Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups > select MFA-SVR > select MFA-IP > Edit > Timeout from 10 seconds to 30 seconds (or whatever you prefer).

0 Helpful

dclangst1
Level 1
Level 1

‎06-30-2014 12:40 PM

I know this is an old thread but we ran into it recently as well.  In our case, our 2nd factor was a third party.  It took exactly 12 seconds for you to authenticate against both factors, the phone to ring, and the keypad on a mobile device to become available.  It would time out before all that.  What we did was increase the timeout on the default context without 2 factor.  You might now have one, but we're a school and we have a number different VPN contexts.  Once users connected to the one without 2 factor with the longer time out, they were then able to connect to two factor since the default one didn't cut them off too soon.  That also gave them time to get the two-factor xml file pushed down.  Hope that helps other people.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents