Mar 27

Cisco ASA VPN and RSA SDI Troubleshooting

RSA SDI is a setup that allow a user to use a token to log in to a system. This is a two factor authentication method. The Cisco ASA VPN can be setup to have the user enter the token number, or the users Pin. If the user enters their Pin, the Anyconnect client then looks for the soft token on the computer and retrieves the token number. The ASA then sends the token number to the RSA server for authentication. This blog is not about how this process works, only a few tips on troubleshooting the connection.


If the Cisco ASA is not setup correctly in the RSA server the ASA will put the server in Suspended mode and will not try to use it until it’s out of suspended mode. In the case below, the Cisco ASA has network access to the RSA server, but the IP of the Cisco ASA was not entered correctly into the RSA application. Below is an example of a suspended server. Note that I named the Server group GOATRSA, you can give it any name you want.

Cisco-ASA-Firewall# show aaa-server GOATRSA host 10.5.5.5
Server Group: GOATRSA
Server Protocol: sdi
Server Address: 10.5.5.5
Server port: 5500
Server status: ACTIVE, Last transaction at 12:30:45 UTC Wed Mar 8 2014
Number of pending requests 0
Average round trip time 3385ms
Number of authentication requests 21
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 0
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 21
Number of unrecognized responses 0

SDI Server List:
Active Address: 10.5.5.5
Server Address: 10.5.5.5
Server port: 5500
Priority: 0
Proximity: 0
Status: SUSPENDED
Number of accepts 0
Number of rejects 0
Number of bad next token codes 0
Number of bad new pins sent 0
Number of retries 18
Number of timeouts 18

How to clear an RSA server in SUSPENDED status?

Remove and add the server back into the group
From the CLI in the Cisco ASA issue the following commands, make sure you use your correct Group name, Interface, and host IP.
No aaa-server GOATRSA (INSIDE) host 10.5.5.5
aaa-server GOATRSA (INSIDE) host 10.5.5.5

After you add the server and issue the show command “show aaa-server GOATRSA host 10.5.5.5“, you will notice the status change to UP.

How to test a users RSA Token log in from the Cisco ASA CLI?
From the CLI in the Cisco ASA issue the following command.
test aaa-server authentication host username password
Example:
test aaa-server authentication GOATRSA host 10.5.5.5 username ScapeGoat password 11223344
– The Cisco ASA will tell you if this failed or was a success.

After a sucessfull log on your Cisco ASA will receive a file in the root of the file system that ends in a .sdi from the RSA server. When your username test passes, you will then have the .sdi file.

If you have more RSA SDI tips please reply to this post and add your notes!!! I hope this helps you!!

Click here to see Cisco’s SDI Soft token documentation.

Feb 05

Cisco ASA hostname trick to quickly identify if the unit is Active or Standby

After years of working with the Cisco ASA platform I always learn something new while working with TAC or somebody else. I recently learned about the following command.


“prompt hostname state priority”

This command changes the hostname to include Primary or Secondary and Active or Standby. Instead of issuing the “show failover” command to figure out what unit you are on, this command will show you in the hostname.

Below is an example.

ASAFirewall(config)# prompt hostname state priority
ASAFirewall/act/sec(config)#

In the example above,
The hostname is “ASAFirewall”
This unit is “Active”
This unit is configured as the “Secondary” unit.

If you have any Tips & Tricks like this, please share them by using the reply field below. No account is needed.