This can happen for the following reasons:
- If you are affected by a Cisco bug where changes to the SAML Server configuration for the AnyConnect Connection Profile do not take effect immediately,
- If you have misconfigured the SAML Identity Provider for the AnyConnect Connection profile.
- If you attempt to configure a single ASA to authenticate against multiple DAG servers.
- If the Cisco ASA is not properly synced to an external NTP server. Please make sure that it is not relying on an internal NTP source or a date and time that has been manually configured.
- A certificate mismatch has been shown to cause this exact error.
Most likely the last option above as per the Duo support article I could find.
Please mark this helpful if you are happy with the response.