Skip navigation

Duo Security is now a part of Cisco

About Cisco

Documentation

Cisco ASA VPN - FAQ

Last Updated: January 22nd, 2019

What are the differences between the different Duo Cisco deployment configurations?

Please refer to the Duo for Cisco AnyConnect VPN with ASA or Firepower overview to learn more about the different options for protecting ASA and Firepower VPN logins with Duo MFA.

You can also learn more in this knowledge base article which compares the ASA configurations.

The Duo "IPsec VPN Instructions" supports push, phone call, or passcode authentication and protects connections that use Cisco's desktop VPN client with IKE encryption instead of SSL VPN.

Does the SSL VPN configuration Duo work with the Cisco AnyConnect client?

Yes, Duo authentication is compatible with the desktop and mobile AnyConnect clients.

You'll see a "Second Password" field when using AnyConnect — this field will accept a Duo passcode (generated with Duo Mobile or sent via SMS). You can also type push to use Duo Push, sms to get a new batch of SMS passcodes, or phone to authenticate via phone call. Also see the Logging In With the Cisco AnyConnect Client page in the user guide.

If your users will only use AnyConnect, see Enrolling Users to learn how to use bulk enrollment to help with enrolling users.

Does Duo's SSL VPN configuration support the Cisco AnyConnect client version 3.1 on OS X?

Yes. Just upload the proper AnyConnect client .pkg file to your Cisco ASA (Remote Access VPN → Network (Client) Access → AnyConnect Client Software.)

Can I customize the Cisco AnyConnect client "Second Password:" Field?

Yes, you can customize the Second Password Field by:

  1. From the Cisco ASDM select Network (Client) Access AnyConnect CustomizationGUI Text and Messages.
  2. Click Add and select the desired language that you would like to modify.
  3. Under msgid "Second Password" add the desired text to the msgstr "here" field

The customization is not updated until the client is restarted and makes another successful connection.

Is there any logging on the ASA to help troubleshoot authentication?

To monitor ASA activity during logon attempts, connect to your device using the ASDM utility and go to MonitoringLoggingReal-Time Log Viewer. Set logging to a higher level (like "Debugging"" or "Informational") and click the View button. Then, attempt to authenticate again and watch the real-time log to see your authentication activity.

To view previously captured events, go to MonitoringLoggingLog Buffer. Select a "Logging Level" and click the View button.

Can I use Duo to protect ASA local account logins?

Absolutely! To protect users local to the ASA, with the Duo LDAPS configuration for SSL VPN, continue to use the "LOCAL" AAA Server Group for authentication and add the Duo LDAP AAA server group for secondary authentication.

To protect local ASA users connecting with the Duo RADIUS configuration for SSL VPN clients, use the duo_only_client and radius_server_duo_only configurations in your Authentication Proxy setup, and again continue to use the "LOCAL" AAA Server Group for authentication and add the Duo RADIUS AAA server group for secondary authentication. In this scenario, your authproxy.cfg file would look something like this:

[duo_only_client]

[radius_server_duo_only]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
failmode=safe
radius_ip_1=5.6.7.8
radius_secret_1=thisisaradiussecret
client=duo_only_client

Why is the 60 second timeout for the AAA RADIUS server ignored?

There appears to be a logic bug in the Cisco IPSec VPN server timeout settings.

  • max-failed-attempts : This is the number of times the ASA will use a given RADIUS server before marking it as failed if no response is received (max value of 5.)
  • retry-interval : The number of seconds until the ASA will retry a given authentication (max 10 seconds.)
  • timeout : The number of seconds until the ASA will fail over to a backup server. (no max listed)

(Source: Cisco ASA Series General Operations CLI Configuration Guide, 9.1)

Given the above, the ASA will actually have a maximum timeout of 50 seconds for any given RADIUS server, regardless of what you set as the actual timeout for that server.

If you encounter this issue, the work-around is to set an api_timeout in the Authentication Proxy config file to around 50 seconds, to ensure that it will respond before the ASA marks it as failed. This setting goes in the [radius_server_auto] section of authproxy.cfg, as shown below.

[radius_server_auto]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
failmode=safe
radius_ip_1=5.6.7.8
radius_secret_1=thisisaradiussecret
client=ad_client
api_timeout=45

Why is the AnyConnect client connection attempt disconnecting after 12 seconds when I have increased the timeout?

An issue with the AnyConnect client causes it to ignore the timeout setting and use the 12 second default when the fully qualified host domain name (FQDN) of the Cisco ASA is not present in the AnyConnect client profile. This may cause the AnyConnect client to disconnect during the two-factor authentication attempt (Cisco forum link).

To fix this, add a <ServerList> section to the AnyConnect profile as shown in the example below. If your AnyConnect profile already contains a server list section, replace the <HostAddress> IP address or non-qualified host name of your ASA with the fully qualified domain name as shown in the example.

<ServerList>
<HostEntry>
<HostName>ASA-01
</HostName>
<HostAddress>asa-01.cisco.com
</HostAddress>
</HostEntry>
</ServerList>

See the instructions for using the ASDM AnyConnect Client Profile Editor and configuring the Server List at the Cisco site for more information.

While the Cisco forum link above references AnyConnect 2.x versions, the issue persists in later versions.

Additional Troubleshooting

Need more help? Try searching our Cisco Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free