Bypass when Authetication Proxy is unavailable

Andrej-Repka · ‎09-25-2025

Hello,

Im currently deploying Duo into my environment. We are using it as MFA for RA VPN that is running on FTD.

I am wondering if there is a possible bypass for disaster recovery if for example a authentication proxy that is running on our ESXi environment stops working for some reason. I know there is failmode - safe that handles if cloud serivce is inaccessible but im wondering if there is this possibility for when proxy is also inaccessible.

Thank you.

balaji.bandi · ‎09-25-2025

May be if you have any monitoring system that detects failure then you need to make changes to bypass ? is that works for you ?

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

DuoKristina · ‎09-25-2025

@Andrej-Repka it sounds like you are wondering if the FTD itself has an option to allow authentication into the VPN if the configured RADIUS authenticator fails.

I don't know about FTD specifically, but I have encountered VPN devices that do have an option to continue on failure. However, that would also mean that someone who didn't actually succeed with 2FA when the proxy is online would also be allowed access, so I can't recommend this at all.

Some VPNs have an option to failover to a secondary RADIUS host. You could have two Duo Authentication Proxy servers for some redundancy if one fails.

There are other strategies for implementing high availability, like using a load balancer in front of more than one Duo proxy server. We share some options in this Duo Knowledge Base article: https://help.duo.com/s/article/authentication-proxy-availability?language=en_US.

Duo, not DUO.