Users are temporarily locked out after making a single PUSH request, and/or a single PUSH request results in the user receiving a rapid succession of PUSH requests.
Sample Validation Server log snippet:
INFO "2016-03-02 19:09:26.212 GMT-0500" 0.0.0.0 ValidationEngine 0 0 "text=Sending Acces-Reject for user 821084 reason=29 PUSH Trampled"
INFO "2016-03-02 19:09:36.353 GMT-0500" 0.0.0.0 ValidationEngine 0 0 "text=Sending Acces-Reject for user 821084 reason=29 PUSH Trampled"
INFO "2016-03-02 19:09:45.463 GMT-0500" 0.0.0.0 ValidationEngine 0 0 "text=Sending Acces-Reject for user 821084 reason=29 PUSH Trampled"
INFO "2016-03-02 19:09:55.604 GMT-0500" 0.0.0.0 ValidationEngine 0 0 "text=Sending Acces-Reject for user 821084 reason=29 PUSH Trampled"
This can be caused by the VPN or an application retry value being set too low. For example, if retry is set to 12 seconds and the user does not accept within that time, a second PUSH is sent. If the user accepts the initial PUSH after the second PUSH is sent, a TRAMPLE occurs when the second PUSH tramples over the first. The retry value is essentially the validity period for that PUSH.
Increase the time-out value for 2-factor transactions in the VIP Enterprise Gateway Validation Server settings (if applicable), and in the integration or application settings where the PUSH is initiated. In general, the VPN or web application that is processing a PUSH login needs to wait for the downstream RADIUS server longer than it normally might. Changes from 5 seconds or 10 seconds (default application configuration) to 60 seconds (to support PUSH) are typical.
For example, if using the AnyConnect client:
“By default, AnyConnect waits up to 12 seconds for an authentication from the ASA before terminating the connection attempt. AnyConnect then displays a message indicating the authentication timed out. Cisco added the ability to configure the timeout beginning in version 2.5.1025. The AnyConnect profile lets you specify the authentication timeout value in the range 10-120 seconds. To use the Profile Editor to change the authentication timer, open the Preferences (cont) window and enter the number of seconds into the Authentication Timeout Values field. Alternatively, you can use a text editor to add the XML tag to the AnyConnect profile.”
Set the timeout value in the profile to 60 seconds. Please refer to this Cisco link on how to configure this change:
<ClientInitialization> <AuthenticationTimeout>60</AuthenticationTimeout> </ClientInitialization>
Note: The client receives the update from the server in the <serverlist> attributes. Please refer to this article for more information.