vpn + 2fa otp prompting

majority of the time the 2FA OTP prompt occurs at 4 hour intervals and if not entered after a period of time the vpn connection terminates.  From what I understand there is no workaround or adjustment for this presently.  Intermittently the prompt doesn't appear when it would be expected to and connectivity is lost without warning.  Even though the client still appears to be connected in the systray app the internal routes are no longer populated in the output of the route print command.   Below on win10 build 18362.145 that had just been booted before connecting to the vpn 6:27 connectivity with the internal network is lost around 10:41, the client gui behaves as though there is no problem with no prompt displayed until around 11:07. 

 

from /log/access_server.log on XG210_WP03_SFOS 17.5.4 MR-4-1:

MESSAGE   Jun 10 10:41:35 [4132436800]: (CA_keep_alive): access_server heartbeat
MESSAGE   Jun 10 10:41:35 [4132436800]: (CA_keep_alive): Next CA batch in 45 seconds
MESSAGE   Jun 10 10:41:46 [4134533952]: (otp_code_correct): Will verify code 943126 for user my.username@mydomain.com
ERROR     Jun 10 10:41:46 [4134533952]: (otp_code_correct): oath_totp_validate() failed for tokenid ************ with error The OTP is not valid
MESSAGE   Jun 10 10:41:46 [4134533952]: (otp_handle_short_password_success_request): REJECT1 for user my.username@mydomain.com (bad OTP code or user's token is not active)
ERROR     Jun 10 10:41:46 [4143311360]: check_auth_result: VPN/SSLVPN/MYACC Authentication Failed

 

 

 

client gets stuck on 'authenticating' indefinitely after entering otp here
attempted restart of windows scvpn service hangs indefinitely
restart of strongSwan windows service succeeds and allows scvpn service restart to complete
reconnected successfully after entering otp 

 

 

This one line is repeated 80,000 times in the client events just for the ~4 hours of connectivity today which seems excessive and could be wasting system resources:


2019-06-10 10:47:07AM 13[CFG] vici message length 1146243396 exceeds 524288 bytes limit, ignored

 

client events upon loss of connectivity:

2019-06-10 10:41:45AM 13[IKE] <vpn|1> installing new virtual IP 3.3.3.3 on interface {414D6EE0-ACF4-4A1D-B117-68ED5D6E6E84}
2019-06-10 10:41:45AM 13[KNL] <vpn|1> Adding virtual IP 3.3.3.3
2019-06-10 10:41:45AM 13[KNL] <vpn|1> 3.3.3.3 already in addresses list, count = 2
2019-06-10 10:41:45AM 13[KNL] <vpn|1> 3.3.3.3 is already assigned to the virtual adapter - nothing more to do
2019-06-10 10:41:45AM 13[IKE] <vpn|1> initiating Main Mode IKE_SA vpn[2] to 2.2.2.2
2019-06-10 10:41:45AM 13[ENC] <vpn|1> generating ID_PROT request 0 [ SA V V V V V ]
2019-06-10 10:41:45AM 13[NET] <vpn|1> sending packet: from 1.1.1.188[61001] to 2.2.2.2[4500] (180 bytes)
2019-06-10 10:41:45AM 16[NET] <vpn|2> received packet: from 2.2.2.2[4500] to 1.1.1.188[61001] (180 bytes)
2019-06-10 10:41:45AM 16[ENC] <vpn|2> parsed ID_PROT response 0 [ SA V V V V V ]
2019-06-10 10:41:45AM 16[IKE] <vpn|2> received XAuth vendor ID
2019-06-10 10:41:45AM 16[IKE] <vpn|2> received DPD vendor ID
2019-06-10 10:41:45AM 16[IKE] <vpn|2> received Cisco Unity vendor ID
2019-06-10 10:41:45AM 16[IKE] <vpn|2> received FRAGMENTATION vendor ID
2019-06-10 10:41:45AM 16[IKE] <vpn|2> received NAT-T (RFC 3947) vendor ID
2019-06-10 10:41:45AM 16[CFG] <vpn|2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
2019-06-10 10:41:45AM 16[ENC] <vpn|2> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
2019-06-10 10:41:45AM 16[NET] <vpn|2> sending packet: from 1.1.1.188[61001] to 2.2.2.2[4500] (268 bytes)
2019-06-10 10:41:45AM 15[NET] <vpn|2> received packet: from 2.2.2.2[4500] to 1.1.1.188[61001] (268 bytes)
2019-06-10 10:41:45AM 15[ENC] <vpn|2> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
2019-06-10 10:41:45AM 15[IKE] <vpn|2> local host is behind NAT, sending keep alives
2019-06-10 10:41:45AM 15[ENC] <vpn|2> generating ID_PROT request 0 [ ID HASH ]
2019-06-10 10:41:45AM 15[NET] <vpn|2> sending packet: from 1.1.1.188[61001] to 2.2.2.2[4500] (92 bytes)
2019-06-10 10:41:45AM 16[NET] <vpn|2> received packet: from 2.2.2.2[4500] to 1.1.1.188[61001] (92 bytes)
2019-06-10 10:41:45AM 16[IKE] <vpn|2> queueing TRANSACTION request as tasks still active
2019-06-10 10:41:45AM 13[NET] <vpn|2> received packet: from 2.2.2.2[4500] to 1.1.1.188[61001] (92 bytes)
2019-06-10 10:41:45AM 13[ENC] <vpn|2> parsed ID_PROT response 0 [ ID HASH ]
2019-06-10 10:41:45AM 13[ENC] <vpn|2> parsed TRANSACTION request 3339736577 [ HASH CPRQ(X_USER X_PWD) ]
2019-06-10 10:41:45AM 13[ENC] <vpn|2> generating TRANSACTION response 3339736577 [ HASH CPRP(X_USER X_PWD) ]
2019-06-10 10:41:45AM 13[NET] <vpn|2> sending packet: from 1.1.1.188[61001] to 2.2.2.2[4500] (124 bytes)
2019-06-10 10:41:46AM 08[NET] <vpn|2> received packet: from 2.2.2.2[4500] to 1.1.1.188[61001] (92 bytes)
2019-06-10 10:41:46AM 08[ENC] <vpn|2> parsed TRANSACTION request 620932081 [ HASH CPS(X_STATUS) ]
2019-06-10 10:41:46AM 08[IKE] <vpn|2> XAuth authentication of 'my.username' (myself) failed
2019-06-10 10:41:46AM 08[ENC] <vpn|2> generating TRANSACTION response 620932081 [ HASH CPA(X_STATUS) ]
2019-06-10 10:41:46AM 08[NET] <vpn|2> sending packet: from 1.1.1.188[61001] to 2.2.2.2[4500] (92 bytes)
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-6{192} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-23{191} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-12{190} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-18{189} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-5{188} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-19{187} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-8{186} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-13{185} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-30{184} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-15{183} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-2{182} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-4{181} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-11{180} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-31{179} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-22{178} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-24{177} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-21{176} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-27{175} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-1{174} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-29{173} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-9{172} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-20{171} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-7{170} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-10{169} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-17{168} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-26{167} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-3{166} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-28{165} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-32{164} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-16{163} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-14{162} state change: INSTALLED => DESTROYING
2019-06-10 10:41:46AM 08[CHD] <vpn|2> CHILD_SA vpn-tunnel-25{161} state change: INSTALLED => DESTROYING

Parents
  • adding to this, what amount of time is supposed to pass between the time an otp prompt appears and session termination if not entered?  Sometimes i can get the info entered before losing connectivity and other times not.  It would be helpful to able to configure that interval and also present a session timer to users leading up to any mandatory prompting/disconnects.

Reply
  • adding to this, what amount of time is supposed to pass between the time an otp prompt appears and session termination if not entered?  Sometimes i can get the info entered before losing connectivity and other times not.  It would be helpful to able to configure that interval and also present a session timer to users leading up to any mandatory prompting/disconnects.

Children
No Data