Only getting about two seconds to approve Duo push before VPN fails connection

So the rundown of what is happening is we use Duo to secure our VPN access. The device is Meraki MX 450 with support for Cisco Anyconnect. Authentication is provided to the Meraki with Radius/AD with a Duo Auth Proxy server.

When you open Anyconnect and connect it talks to the VPN and prompts for username and password. When you enter the correct info you receive a Duo Push on your device. About two seconds later (literally two seconds maybe three) if you have not hit approve on the app or don’t have the app open staring at it to pop up. The VPN then prompts for username and password again.

If you hit approve fast enough the VPN will show you are connected. Else hitting approve after will still show the success on the Duo Mobile but you won’t be connected to the VPN.

Some things I tried were to make sure the Meraki, AnyConnect, and phones are all up to date. Also, I set the profile on Anyconnect to have timeouts of 30 seconds.

From what I can gather is that the Meraki and VPN are not aware of Duo, it’s just an extra layer on the authentication side with Radius on the Duo Auth Proxy. It just seems like there is a missing timer on when the push is sent and the time to respond. I hope there is a setting on the Auth Proxy server but I don’t know.

We also use Duo for RDP on the inside network and we are having no trouble.

1 Like

Running into the same thing with a Meraki VPN setup. Approval on Duo shows no issues but on the local machine the VPN connection times out. Also looking for answers.

Hi @JoshuaB and @vinyladdict (great username, btw!) - Welcome to the Duo Community, and thank you for asking this question here! By default, Meraki will have a RADIUS timeout of 5 seconds and 3 retries, which does not give enough time to receive and approve the Duo Push. You will need to increase the RADIUS timeout to 60-90 seconds and set the retries to 1. Please note you will not be able to do this yourself and will have to contact Meraki’s support team for help.

I see that you increased the timeout to 30 seconds, but this is not enough time. Please give the 60-90 seconds timeframe a try and see if that resolves your issue.

Hope that helps!

2 Likes

@JoshuaB and @vinyladdict. Just like Amy said, put in a ticket with Meraki to increase the RADIUS timeout to 60-90 seconds and set the retries to 1. Usually takes Meraki a day or two to do this, but they don’t ask any questions. I also use DUO to 2FA our Meraki VPN connection.

1 Like