What happens if Duo goes down

We just had a situation that raised some major red flags with the Duo MFA.

We currently have it setup so that users need to confirm the Duo MFA when connecting to our cisco AnyConnect VPN. But just in this past hour, Duo was down and it caused users not to be able to connect.

We also have a policy for Admins when they RDP or sign into a computer, that they need to confirm the MFA as well. This was bypassed when Duo was down and didn’t prompt us.

It was nice that I could get into my PC but why would it By-pass for one policy and not the other when the service was down. We would want our users to be able to VPN still and be able to work when the service is down, if we have to rely on Duo being up 24/7 for us to be able to work, that sounds bad.

Also, we got no alert about the service going down and the Status.Duo.com page didn’t have anything about this issue on it.

Hi @Dburke225

Welcome to the Duo Community, and thank you for sharing your question here!

why would it By-pass for one policy and not the other when the service was down.

This depends on the Duo integration and how you have it configured. By default, Duo for Windows Logon and RDP is set to FailOpen, which means Duo authentication is bypassed when offline.

Whether the failmode is configurable or not and how it is set for Cisco ASA Anyconnect depends on the configuration you’re using. Please see this article for more info on the differences between various Cisco ASA configurations

If you’re using Cisco SAML, failmode is configurable and is set at the SAML IdP. For Cisco RADIUS, it is configurable and can be set by following the instructions for configuring the Duo Authentication Proxy failmode. For Cisco LDAPS, it is not configurable.

Also, we got no alert about the service going down and the Status.Duo.com 7 page didn’t have anything about this issue on it.

I’m sorry you experienced this! We were working on getting an alert sent out to customers about this issue as quickly as possible. Amazon identified the root cause to be isolated to AWS US-West-2. This outage unexpectedly prevented us from making more timely updates to that page. An update should now be posted on the Status Page, and this should be resolved for customers as of now.

Despite this situation you encountered, hopefully it brings you some peace of mind to know that Duo has maintained uptime of greater than 99.99% for more than four years, and we offer a hard service level guarantee backed by SLA.

1 Like

Thank you, you were very helpful. I will check on the configurations.

I did receive a notification about the issue, but only after it was fixed. I have gotten a couple of emails like that, not once during the actual downtime.