cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3615
Views
1
Helpful
4
Replies

What happens if Duo goes down

Dburke225
Level 1
Level 1

We just had a situation that raised some major red flags with the Duo MFA.

We currently have it setup so that users need to confirm the Duo MFA when connecting to our cisco AnyConnect VPN. But just in this past hour, Duo was down and it caused users not to be able to connect.

We also have a policy for Admins when they RDP or sign into a computer, that they need to confirm the MFA as well. This was bypassed when Duo was down and didn’t prompt us.

It was nice that I could get into my PC but why would it By-pass for one policy and not the other when the service was down. We would want our users to be able to VPN still and be able to work when the service is down, if we have to rely on Duo being up 24/7 for us to be able to work, that sounds bad.

Also, we got no alert about the service going down and the Status.Duo.com page didn’t have anything about this issue on it.

4 Replies 4

Amy2
Level 5
Level 5

Hi @Dburke225

Welcome to the Duo Community, and thank you for sharing your question here!

why would it By-pass for one policy and not the other when the service was down.

This depends on the Duo integration and how you have it configured. By default, Duo for Windows Logon and RDP is set to FailOpen, which means Duo authentication is bypassed when offline.

Whether the failmode is configurable or not and how it is set for Cisco ASA Anyconnect depends on the configuration you’re using. Please see this article for more info on the differences between various Cisco ASA configurations

If you’re using Cisco SAML, failmode is configurable and is set at the SAML IdP. For Cisco RADIUS, it is configurable and can be set by following the instructions for configuring the Duo Authentication Proxy failmode. For Cisco LDAPS, it is not configurable.

Also, we got no alert about the service going down and the Status.Duo.com 7 page didn’t have anything about this issue on it.

I’m sorry you experienced this! We were working on getting an alert sent out to customers about this issue as quickly as possible. Amazon identified the root cause to be isolated to AWS US-West-2. This outage unexpectedly prevented us from making more timely updates to that page. An update should now be posted on the Status Page, and this should be resolved for customers as of now.

Despite this situation you encountered, hopefully it brings you some peace of mind to know that Duo has maintained uptime of greater than 99.99% for more than four years, and we offer a hard service level guarantee backed by SLA.

Thank you, you were very helpful. I will check on the configurations.

I did receive a notification about the issue, but only after it was fixed. I have gotten a couple of emails like that, not once during the actual downtime.

As you may be aware DUO was totally down yesterday and it was a big challenge. Fortunately one of our admins had the session open with the DUO portal  and was able to disable DUO for all. We are trying to setup a Break Glass account where an emergency account (for login to windows servers via console or RDP) could be used if issues with MFA and/or other cloud services. This is for the data-center, and not about users computers that can bypass duo when network is disconnected. I am looking for guidance on how to setup such break-glass account so that DUO can be bypassed. Currently if a server has an internet connection and DUO is installed, it will not bypass the DUO authentication - unless the break glass account is created on DUO portal and bypassed. Any quick help would be greatly appreciated. Thanks!

@m-choski 

I suggest you review the Duo Guide to Business Continuity Preparedness.

Duo, not DUO.
Quick Links