VIP PUSH notification not sent to a mobile device.

book

Article ID: 170100

calendar_today

Updated On:

Products

VIP Authentication Service VIP Access for Mobile

Issue/Introduction

PUSH notifications are not sent to a mobile device for 60 minutes, then begin sending again. The credential shows at temporary locked in VIP Manager.

VIP logs show: <status>600D</status><statusMessage>Operation not allowed in current state of credential.

When the token has been locked by the PUSH process, the push status shows as TEMPORARY LOCKED in VIP Manager. 

Cause

The PUSH lockout was designed to prevent PUSH spamming or looping. 

The PUSH lock will engage after 5 consecutive failed/unanswered PUSH attempts and will remain locked for 60 minutes after the last PUSH attempt was made. End-users will be prompted to enter the security code manually while the credential is in this state. Setting the status from 'Temporarily Locked' to 'Enabled' win VIP Manager will not bypass the lock.

If entering security codes manually is disabled in VIP Manager and PUSH is temporarily locked, the login will fail with error "Login failed. Please contact your administrator". 

Note: Consecutive failures can be caused by the device not connected to the internet, notifications are disabled, ignored or denied, etc. For example, 5 pushes are:
 
Push Denied = fail count 1
Push Denied = fail count 2
Ignored = fail count 3
Ignored = fail count 4
Ignored = fail count 5, push is  temp locked.

 
The fail counter resets back to zero 60 minutes after the last PUSH was sent, or the user accepts a PUSH notification while the credential is not temporarily locked. 
 
Presently, there are no API calls to check what increment the counter value. VIP Manager cannot filter for users with temp locked push credentials. he rationale behind this is the users will be automatically unlocked in the specified 1 hour time frame. 

Environment

PUSH is enabled in a VIP account under the Policies tab in VIP Manager. VIP Access mobile is installed and the credential is registered to a user in VIP Manager. The credential shows a PUSH enabled.

Resolution

A misconfigured environment, network latency, device connectivity, a misplaced device, etc. can cause multiple unacknowledged PUSHes on a device. For example, a validation server and/or VPN appliance with improperly set timeout values.

The device must be able to accept the PUSH notifications (powered on, service available or on WiFi, not in airplane mode, not on silent mode, VIP notifications are not blocked, etc)

Use VIP Manager REPORTS to view PUSH notifications.

Attachments