DUO ASA Anyconnect Timeout

I started to run into this issue lately. We use 2FA authentication for our Cisco Anyconnect Client. We have our ASA going out to our api-XXXXXXX.duo.com and using LDAPS to connect to it. We are using RADIUS with Cisco ISE. Everything has been configured long ago and we have been using 2FA for over a year now.

The problem we are having is a timeout issue between DUO and either the Cisco ASA or Anyconnect Client on my users personal computer.

I am able to see successful DUO attempts on the admin portal, I am also able to see authentications successful on Radius. However the user never gets the Push prompt when they enter push on the 2nd password field on Anyconnect. I even have the user enter the 6 digit code and still fails.

I had the user login to our O365 portal and they were able to login with their credentials and use DUO push successfully. It’s just form the DUO servers to my ASA it is not working. Other users have been successful to use VPN and the same api-XXXXX.duo.com server. i even created a group without 2FA authentication for VPN and the user was able to connect just by their password and no 2FA. We even logged in to the ASA web portal to download the client, which requires DUO, and we were able to send a push and login successfully. It is just the client that has this problem. I already uninstalled and re-installed and using the latest version on Cisco Download 4.9.04043

We did a packet capture and we don’t see any drops or any sequences out of order from with in the ASA. On the ASA we saw the public IP of the api-XXXXX.duo.com server and did a packet capture to that. So I am at a lost here and don’t know what is causing the DUO to timeout to the ASA or client.

There are 2 places for timeouts for Anyconnect connecting to the ASA.
one is in the config of the ASA to the Duo proxy in the AAA server config. The other is in the Anyconnect Profile. You want to add an 50 to the ClientInitialization section of the xml file. It can also be set in the profile editor in ASDM. Its on the Preferences (Part 2) page, at the very bottom.

Explore the timeout setting, but if a valid Duo passcode submitted at time of auth fails then you may have some other issue (timeout shouldn’t affect this; if the passcode is submitted up front there is no out-of-band push and response to wait for before allowing access). Consider contacting Duo support.