Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2920
Views
0
Helpful
0
Comments

SecurID fails after re-ip addressing ASA

Erik Witkop
Cisco Employee
Cisco Employee

‎06-09-2009 03:57 AM - edited ‎03-08-2019 05:58 PM

So I learned something new about SDI (RSA securID) yesterday. So I put a new ASA in parallel to an old Pix. I pointed my new ASA over to their brand new RSA server. Then when we moved the ASA into the same IP space as the PIX, everything worked except for RSA authentication. We checked DNS and the ‘agent hosts’ on the RSA and everything seemed correct. Then I read about the sdi file on the flash of an ASA. So what happens is on the first authentication, the RSA hands down an sdi file to the ASA and this becomes the shared key between the 2 devices. The only problem that I found was that the file contains the inside IP of the ASA. So when I changed my inside IP of the my ASA to the IP of the PIX, that sdi file was now invalid. The way to fix it was to simply delete the file.

Error message on the RSA was “node verification failed.”


vpn(config)# dir
Directory of disk0:/

6 drwx 8192 09:18:46 May 31 2008 crypto_archive
91 -rwx 14635008 03:08:24 Aug 12 2008 asa803-k8.bin
92 -rwx 6851212 03:10:56 Aug 12 2008 asdm-603.bin
2 drwx 8192 03:14:44 Aug 12 2008 log
93 -rwx 2153344 11:33:12 Aug 12 2008 anyconnect-win-2.2.0136-k9.pkg
99 -rwx 512 19:01:08 Aug 13 2008 10-100-1-20.sdi

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents