I started to run into this issue lately. We use 2FA authentication for our Cisco Anyconnect Client. We have our ASA going out to our api-XXXXXXX.duo.com and using LDAPS to connect to it. We are using RADIUS with Cisco ISE. Everything has been configured long ago and we have been using 2FA for over a year now.
The problem we are having is a timeout issue between DUO and either the Cisco ASA or Anyconnect Client on my users personal computer.
I am able to see successful DUO attempts on the admin portal, I am also able to see authentications successful on Radius. However the user never gets the Push prompt when they enter push on the 2nd password field on Anyconnect. I even have the user enter the 6 digit code and still fails.
I had the user login to our O365 portal and they were able to login with their credentials and use DUO push successfully. It’s just form the DUO servers to my ASA it is not working. Other users have been successful to use VPN and the same api-XXXXX.duo.com server. i even created a group without 2FA authentication for VPN and the user was able to connect just by their password and no 2FA. We even logged in to the ASA web portal to download the client, which requires DUO, and we were able to send a push and login successfully. It is just the client that has this problem. I already uninstalled and re-installed and using the latest version on Cisco Download 4.9.04043
We did a packet capture and we don’t see any drops or any sequences out of order from with in the ASA. On the ASA we saw the public IP of the api-XXXXX.duo.com server and did a packet capture to that. So I am at a lost here and don’t know what is causing the DUO to timeout to the ASA or client.