Quick question for you - we're running client VPN's through our SPA's and they authenticate using RSA SecurID. Everything seems to be working ok (clients can auth, get IP addresses and get into the network), the problems start when the RSA server chucks back a request for further info. Like a token re-sync (next token / pass code) or if the token is in new pin mode. If the token is in this state the User gets an 'Error 413 - Auth failed' message on the Cisco VPN client and cannot continue unless the pin setup / re-sync is completed on another platform.
We have other (older VPN 3030's) using the same SecurID tokens and they work fine in the same VLAN and all the same firewall rules are in place, so I'm a little stuck as to what the problem might be.
Are there any diagnostics that we can run on the session or has anyone else had the same problem?
Thanks in advance
which software version are you running?
If older than 12.2(18)SXF then you might be hitting this bug:
CSCeh35849 New PIN mode and next token code fail with vpn client
Resolved in SXE4 and SXF and later.
If that's not it, "debug crypto isakmp", "debug aaa authen" and "debug radius" might help, or open a TAC case.
We're running Version 12.2(18)SXF9 and Version 12.2(18)SXF16 respectivly (it happens on both). I'll run some debugs and then may have to pass it to TAC.
Thanks for your help so far!