Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2221
Views
0
Helpful
2
Replies

DUO ASA Anyconnect Timeout

raul.cavazos
Level 1
Level 1

‎01-04-2021 12:34 PM

I started to run into this issue lately. We use 2FA authentication for our Cisco Anyconnect Client. We have our ASA going out to our api-XXXXXXX.duo.com and using LDAPS to connect to it. We are using RADIUS with Cisco ISE. Everything has been configured long ago and we have been using 2FA for over a year now.

The problem we are having is a timeout issue between DUO and either the Cisco ASA or Anyconnect Client on my users personal computer.

I am able to see successful DUO attempts on the admin portal, I am also able to see authentications successful on Radius. However the user never gets the Push prompt when they enter push on the 2nd password field on Anyconnect. I even have the user enter the 6 digit code and still fails.

I had the user login to our O365 portal and they were able to login with their credentials and use DUO push successfully. It’s just form the DUO servers to my ASA it is not working. Other users have been successful to use VPN and the same api-XXXXX.duo.com server. i even created a group without 2FA authentication for VPN and the user was able to connect just by their password and no 2FA. We even logged in to the ASA web portal to download the client, which requires DUO, and we were able to send a push and login successfully. It is just the client that has this problem. I already uninstalled and re-installed and using the latest version on Cisco Download 4.9.04043

We did a packet capture and we don’t see any drops or any sequences out of order from with in the ASA. On the ASA we saw the public IP of the api-XXXXX.duo.com server and did a packet capture to that. So I am at a lost here and don’t know what is causing the DUO to timeout to the ASA or client.

0 Helpful
2 Replies 2

Ken Stieers
VIP
VIP

‎01-04-2021 01:04 PM

There are 2 places for timeouts for Anyconnect connecting to the ASA.
one is in the config of the ASA to the Duo proxy in the AAA server config. The other is in the Anyconnect Profile. You want to add an 50 to the ClientInitialization section of the xml file. It can also be set in the profile editor in ASDM. Its on the Preferences (Part 2) page, at the very bottom.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee

‎01-06-2021 07:40 AM

Explore the timeout setting, but if a valid Duo passcode submitted at time of auth fails then you may have some other issue (timeout shouldn’t affect this; if the passcode is submitted up front there is no out-of-band push and response to wait for before allowing access). Consider contacting Duo support.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents