07-31-2012 06:51 PM
Hello Everybody,
Has anyone got any experience with two factor setup with Symantec VIP?
I just fined setting it up and VIP Service and SA520 seems to be synchronizing correctly but device doesnt direct VPN users for second authentication ? any ideas
07-31-2012 07:49 PM
I don't think Cisco supports Verisign VIP any longer. And, I don't think Verisign knows about it yet.
Here are a couple of threads that I have opened regarding VIP. We are experiencing the exact same issues as you. The router seems to communicate with and update Verisign, but the router will not prompt for the 6-digit number after the SSL VPN user logs in.
https://supportforums.cisco.com/thread/2157584?tstart=0
https://supportforums.cisco.com/thread/2160657?tstart=60
I have tried and tried to get Cisco to support VIP, but they won't answer any questions about it here on the forums, nor is SBSC any help. I called, opened a case (the guy didn't give a case number though), and they promised to call me back the next day. They never did.
Our trial ends very shortly. We will reset our SA540 to factory defaults a few days before the trial ends just in case our SA540 shoots craps when the trial expires. We (or I actually) have kept detailed notes regarding all of our settings. I just hope that our 3-year licenses for IPS and Trend Micro ProtectLink Web remain intact.
I wish I had better news for you.
07-31-2012 09:53 PM
I just logged an TAC case and they advised me it should work but the TAC tech didnt have much knowledge of the device so he went looking for specilist for the device and suppose to get back to me tomorrow.will give you an update as soon as i have a reply
You should be able to get a back up of the current config from Administration Section
08-01-2012 10:17 AM
That's great. We don't have access to TAC. We purchased a 3-year support contract from CDW (online) for our SA540, but that doesn't give us access to TAC. We have to go through CDW (I guess?) if we want something entered into TAC.
08-08-2012 09:45 PM
Hey Curtis,Appearently its a Firmware issue and you need to contact TAC and obtain a working version of the Firmware.I just got mine sorted out by loading a beta version.Should have gone with lower end ASA series if i knew that this is going be such a pain
08-08-2012 10:33 PM
Thanks for the heads up. I opened a case with the CSBC and received a beta version as well. We loaded it a couple of days ago and re-configured our router, but we did not have time to jack with the Verisign VIP stuff. What version did you get? I got 2.2.0.3_1. Just curious so I can make sure we are on the same version.
08-08-2012 11:47 PM
Mine is 2.1.78 and the one i had was 2.1.78(this is the one that didnt work).when comparing to your 2.2.0.3_1 it seems like they have couple of major releases in between and i have no idea why they still giving away betas.something's just not right here
08-09-2012 08:30 AM
The firmware they provided you was probably compiled to fix your specific issue (at one time or another). 2.1.78 would be much less risky to implement in a production environment than 2.2.0.3_1!
We specifically requested the latest beta firmware that is being regression tested right now.
08-09-2012 03:39 PM
yea that would be right as the Techo said they are planning to relase this version very soon but no ETA yet.hopefully woudnt have any more issues.
08-09-2012 03:51 PM
As discussed in several other threads, it is costly to release each firmware release. Not only do you have the cost of performing the requirements, design, coding, and testing, you have the cost of writing the documentation, including the release notes and open source PDFs.
For the reason above, I hope they skip the 2.1.78 release and put all of their efforts into 2.2.0.x (including any bug fixes they implemented in 2.1.78), so it can be released sooner. We are going on 3 days of running 2.2.0.3_1 and it seems to be a solid build.
I will let you know though if the Verisign VIP trial works as soon as I get the approval to implement it.
08-12-2012 11:44 AM
Well I took the time to re-try implementing Verisign VIP and it is still exhibiting the same behavior. Using 'Pilot' doesn't work (I can't activate users), but 'Production' does. Unfortunately users still aren't prompted to enter the 6 digit code after logging in though.
2.1.78 must have been built specifically to fix Verisign VIP. Hopefully they implement the same fixes into the 2.2.0.x firmware. In the meantime I will need to contact the CSBC to get 2.1.78.
08-12-2012 04:39 PM
2.1.78 does the same on validatation if you select Pilot and I raised the same question with the tech and he advised me that VIP is not a pilot anymore and the service they currently offer is a trial of the real thing.
08-12-2012 05:24 PM
Good to know. Thanks.
I still can't get our SA540 to prompt for the 6 digit code after logging into SSL VPN. I have emailed the level 2 tech assigned to my case. I'll let you know what I find out. The last thing we need is for the VIP *fix* in 2.1.78 to get lost when 2.2.0.x goes live.
08-18-2012 10:56 AM
preranda78,
Please read your Private Messages.
08-21-2012 05:50 PM
Tech Support sent me a link for 2.1.78. I don't think I will have the opportunity to deploy the new firmware for a few weeks. I'll keep you guys' posted on whether or not I can get Verisign VIP to work with this firmware.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide