Symantec VIP User unable to MFA. Getting error "6009" in Transaction Report
search cancel

Symantec VIP User unable to MFA. Getting error "6009" in Transaction Report

book

Article ID: 401919

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Symantec VIP User is unable to authenticate with Symantec VIP MFA. User Transaction Report shows error "6009" for 'beginAuthentication'. The user receives a PUSH notification and hits "Accept", but is still denied access at the application level.

Environment

VIP Enterprise Gateway Radius setup for ULO mode (UserID + Password + OTP code) and PUSH enabled device.

The following is how to properly read the VIP Transaction Report and local Radius Validation logs to follow the authentication request through VIP.

Resolution

Ensure the VIP Radius service is in "DEBUG" level logging and search for the UserID (username) of the user.

Here is an example from the VIP Radius logs in DEBUG level logging. You can also cross reference the "requestId" numbers with the VIP Manager Transaction Report:

  • "2025-06-12 14:38:45.026 GMT-0700" 0.0.0.0 RadiusService:1812 0 0 "text=Trying to fetch attribute from User Store No:- 1 whose storeName is AD.company.com " (We received the request and we are checking the User Store LDAP connection to verify this is a legitimate user)
  • "2025-06-12 14:38:45.229 GMT-0700" 0.0.0.0 RadiusService:1812 0 0 "text=Successfully fetched attribute from User Store No:- 1 whose storeName is AD.company.com " (The user request is received and verified as a legitimate user in the User Store Active Directory)
  • "2025-06-12 14:38:45.229 GMT-0700" 0.0.0.0 RadiusService:1812 0 0 "text=[INFO_REQUEST:UserID] requestId: 9_11_0_w_XXX_XXX_XXX_XXX_2842223351" (Now that the user is verified against AD, we want to see if they included their OTP with the AD password. This is sent to the VIP Cloud to verify)
  • "2025-06-12 14:38:45.526 GMT-0700" 0.0.0.0 RadiusService:1812 0 0 "text=After Services Authenticate call for user [UserID]. StatusCode: 24585, StatusMessage: Authentication Failed." (The user did not include the OTP code. This results in the "beginAuthentication" process returning a 6009 "Authentication Failed" -- But the authentication will continue. This was only in reference to the initial check for an OTP with the password)
  • "2025-06-12 14:38:45.526 GMT-0700" 0.0.0.0 RadiusService:1812 0 0 "text=Verifying against User Store No:- 1 whose storeName is AD.company.com " (Because the initial OTP was not supplied, we now know that we need to send the entire user password field to AD to verify first factor)
  • "2025-06-12 14:38:45.604 GMT-0700" 0.0.0.0 RadiusService:1812 0 0 "text=Verified against User Store No:- 1, authentication result:- 0"
  • "2025-06-12 14:38:45.604 GMT-0700" 0.0.0.0 RadiusService:1812 0 0 "text=VSAuthOTPFirstFactorLDAPImpl.authenticateExt() -- User successfully validated against user-store no. = 1" (AD returned successful password -- First factor is now verified successful)
  • "2025-06-12 14:38:45.604 GMT-0700" 0.0.0.0 RadiusService:1812 0 0 "text=[INFO_REQUEST:UserID] requestId: 9_11_0_w_XXX_XXX_XXX_XXX_2842223352" (Now that first factor is successful and we do not have an OTP for MFA verification, we need to initiate the PUSH)
  • "2025-06-12 14:38:45.760 GMT-0700" 0.0.0.0 RadiusService:1812 0 0 "text=PUSH request sent for user [UserID]." (We send the PUSH from VIP Cloud side)
  • "2025-06-12 14:38:45.760 GMT-0700" 0.0.0.0 RadiusService:1812 0 0 "text=[INFO_REQUEST:pollForPushStatus] requestId: 9_11_0_w_XXX_XXX_XXX_XXX_3745446452" (The VIP Cloud service does not initiate communication to the local VIP Radius. The Radius "polls" the VIP Cloud side every 2 seconds to see when the PUSH is responded to)
  • "2025-06-12 14:38:48.041 GMT-0700" 0.0.0.0 RadiusService:1812 0 0 "text=[INFO_REQUEST:pollForPushStatus] requestId: 9_11_0_w_XXX_XXX_XXX_XXX_3745446453" (next PUSH poll check)
  • "2025-06-12 14:38:50.088 GMT-0700" 0.0.0.0 RadiusService:1812 0 0 "text=[INFO_REQUEST:pollForPushStatus] requestId: 9_11_0_w_XXX_XXX_XXX_XXX_3745446454" (next PUSH poll check)
  • "2025-06-12 14:38:50.135 GMT-0700" 0.0.0.0 RadiusService:1812 0 0 "text=Evaluating Push Closure request for user [UserID]" (VIP Cloud responded to this last poll that the user had responded to the PUSH and sends the results)
  • "2025-06-12 14:38:50.135 GMT-0700" 0.0.0.0 RadiusService:1812 0 0 "text=Authentication Success for user [UserID]. StatusCode: 28672, StatusMessage: Mobile push request approved by user" (local VIP Radius registers that the VIP Cloud send "Approve" for PUSH request and finishes validating user MFA request)
  • "2025-06-12 14:38:50.135 GMT-0700" 10.0.0.100 RadiusService:1812 0 0 "text=Access GRANTED" (We send back an "Access GRANTED" successful authentication to device 10.0.0.100, which is the device that sent us the request)

If the final response is "Access GRANTED", then everything is working on the VIP side. Refer to the local application at the IP Address we sent the success to for further investigation.

If the final response is "Access DENIED", then the user is failing VIP 2FA authentication. Refer to the previous logging and Transaction Reports for the exact reason of failure.

Powered by Wolken Software