Re: Cisco Anyconnect Microsoft MFA issue

tbilisilizas · ‎07-09-2025

Hello,

We have the following issue. Two-factor authentication (2FA) via Microsoft Authenticator is configured on a Cisco ASA. The tunnel group on the ASA is connected to Cisco ISE, which acts as a RADIUS proxy.

In the condition, the Cisco ASA's IP address is added, as well as a VPN Group user (from Active Directory) configured in the group-policy, who should have 2FA enabled.

Once a request comes from the Cisco ASA to Cisco ISE, it is forwarded to a Windows NPS Server, which is connected to the Azure environment and handles the 2FA request.

On the NPS, there's a policy created for the respective VPN Group, according to which NPS works with two-factor authentication.

The problem is as follows:
When an employee connects for the first time, everything works normally without issues. But when the employee disconnects and tries to reconnect within 10 minutes, the connection fails.

ASA logs show that "Cisco ISE is not accessible" and this log repeats every 10 seconds.

Cisco ASA model: 5585
Cisco ASA version: 9.12(4)7

After 10 minutes, the user is able to connect again. This issue does not occur on another Cisco ASA device with the following model and version:
Cisco ASA model: 5515
Cisco ASA version: 9.5(2)2

Please assist us in investigating this issue.

tbilisilizas · ‎07-09-2025

please help

MHM Cisco World · ‎07-09-2025

I any not so sure I have answer

But try use

Debug webvpn anyconnect (or 255)

Let see why re-auth is failed is it issue from asa or from radius Server

MHM

Aref Alsouqi · ‎07-10-2025

It seems a buggy behaviour from what you described. Could you please check the stats on the output of the command "sh aaa-server < group > host < ISE IP >" when that issue happens and see if there is anything suggesting a connectivity issue with ISE? also, have you checked the firewall logs to see if there is anything suggesting any connectivity issue with ISE?