[BBLISA] RSA tokens, ACE Server, Cisco concentrator timing help

Dean Anderson dean at av8.com
Wed Jan 5 00:00:04 EST 2005 

Indeed, it sounds like a timing problem.  

The strange part is that some cards are in sync and some aren't.  It could
be the cards, the gateways, the server, or some combination.  
Potentially, it could also be load on the ACE server, or lost packets
between the server and gateways.

If it is a gateway out of sync, the non-working cards will all be using
that particular gateway.  It doesn't matter what timezone you are using, 
but only that they are in sync.  UTC eases log entry comparisons, but has 
no effect on actual syncronization.  

On cisco "sh ntp status" will indicate whether you are syncronized.  
Stratum makes no difference, and indeed stratum makes no difference in
most applications outside TDM multiplexing. Lower stratums are "better"  
but not in anyway that makes any difference to this application. In this
case, you have a 2 minute window (though I think this is changeable, but
not less than 30 seconds.  Only when you get close to being 2 minutes off
do you have problems.  Sync'd NTP will never vary anywhere close to that
far, even from stratum 16.

You neglected to mention the OS that was used for the ACE server, but I
guess since it is in an Active Directory environment that you are using
windows.  Are you running NTP on the ACE server and is it in sync?  Is it 
updating the system clock?

It is possible that that the cards themselves are out of sync. The cards
also have an internal clock. The card clock is usually pretty accurate,
but does fail. Often, failing cards will be in the same lot, identified by
serial number.  I saw this occasionally with Security Dynamics cards back 
in the early 90s. (Security Dynamics was bought by RSA)

You are on the right track making a spreadsheet of cards with problems.  
Add to that spreadsheet the gateways where the failure happened and you
should be able to isolate the timing problem, or exclude possibilities.  
I'm also impressed by your spreadsheet.  Methodical testing and log
analysis is more useful, and more revealing than voodoo configuration
changes.  Altering configuration without specific expectation is sometimes
necessary but more often just as harmful.

When you are stumped, I suggest you also create a list of possible
problems, and use the logs to exclude thost problems.  Then do what is
necessary (ie alter data collection, etc) to exclude the remaining
problems.

Sometimes it also helps to go through and reconstruct configuration files
line by line from scratch (ie what needs to be configured and how should
it be configured), to eliminate unnecessary cruft.

		--Dean


On Sat, 1 Jan 2005, Scott Ehrlich wrote:

> Part of my contract job has involved adding new RSA tokens via ACE Server
> to user accounts (in an Active Directory environment).  Of about 300 new
> tokens, the first 30 went almost flawlessly.  I added the first 30 token
> serial numbers to the ACE Server console, testing each token by logging in
> successfully.
> 
> The next batch of about 30 tokens were more of a mixed result.  Half the
> tokens prompted for a New Pin, then took the new pin and the next six
> digits on the token.  The other half took the new pin, but failed when the
> next code came up, with the error:
> 
> "Secure VPN connection terminated locally by the client.   Reason 413:
> User authentication failed"
> 
> We are using either Cisco 3300 or 3500's, located at three or four sites
> around the country, with one of those sites in Ireland.
> 
> I am told the syncing is instant for all phases of this.
> 
> We've checked google and Cisco's site for ideas, but none of them seem to
> answer this problem.   Every token I've entered has prompted for a New
> Pin, but half will not take the new pin + next code.   If you look at the
> success/failure markings I have on a spreadsheet, the pattern lends itself
> to a timing issue somewhere, but where?
> 
> We have support calls in to at least Cisco, and maybe RSA, for additional
> help.
> 
> Any ideas from the list would be most appreciated.
> 
> As a side note, sorry for my job search spams.   I have other avenues I am
> actively using.   I was simply trying to reach the widest possible
> audience.
> 
> A good new year to all.
> 
> Scott
> 
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
> 
> 

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000

More information about the bblisa mailing list