Home

Azure VPN Gateway and MFA Timeout Issue for Point to Site Connections

%3CLINGO-SUB%20id%3D%22lingo-sub-125993%22%20slang%3D%22en-US%22%3EAzure%20VPN%20Gateway%20and%20MFA%20Timeout%20Issue%20for%20Point%20to%20Site%20Connections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-125993%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI'm%20having%20trouble%20getting%20MFA%20working%20with%20an%20Azure%20P2S%20IKEv2%20VPN%20using%20RADIUS%20auth.%20It%20seems%20that%20the%20auth%20response%20timeout%20on%20the%20gateway%20is%20set%20so%20low%20(looks%20like%205%20sec)%20that%20I%20don't%20have%20enough%20time%20to%20authenticate%20using%20MFA.%20I've%20verified%20this%20both%20with%20DUO%20Auth%20and%20Azure%20MFA%3B%20both%20have%20the%20same%20result.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20initiate%20the%20VPN%20connection%2C%20enter%20credentials%2C%20and%20before%20I%20can%20answer%20the%20phone%20call%20to%20verify%20MFA%2C%20another%20request%20is%20initiated%20and%20a%20second%20call%20comes%20through.%20If%20I%20successfully%20verify%20either%20or%20both%20calls%2C%20the%20connection%20fails.%20However%2C%20if%20I%20use%20a%20push%20notification%20to%20the%20cell%20phone%20for%20verification%20and%20I%20can%20verify%20in%20under%205%20sec%2C%20the%20connection%20is%20completed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20also%20pointed%20my%20Palo%20Alto%20VPN%20device%20(where%20I%20have%20a%20specified%20timeout%20of%2060%20sec)%20at%20my%20MFA%20server%20and%20was%20able%20to%20log%20in%20successfully%20to%20that%20VPN%20-%20this%20determines%20the%20issue%20is%20not%20with%20my%20MFA%20server%20setup.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20created%20a%20bug%20request%20with%20Microsoft%20on%20this%20as%20there%20doesn't%20seem%20to%20be%20a%20way%20to%20change%20the%20timeout.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20else%20encountered%20this%20issue%20or%20found%20a%20workaround%3F%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-125993%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2%20factor%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecredentials%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eduo%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Efactor%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMulti%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emulti-factor%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eradius%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EServer%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etimeout%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etwo%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Evpn%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152450%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20VPN%20Gateway%20and%20MFA%20Timeout%20Issue%20for%20Point%20to%20Site%20Connections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152450%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20having%20a%20similar%20issue%20when%20leveraging%20MFA%20server%20against%20Office%20365%20logins.%26nbsp%3B%20I'm%20also%20experiencing%20the%205%20second%20timeout.%26nbsp%3B%20I%20also%20have%20two%20factor%20authentication%20configured%20for%20my%20Fortigate%20VPN%20and%20Remote%20Desktop%20Services%20and%20the%20timeout%20is%20not%20an%20issue.%26nbsp%3B%20The%20timeout%20only%20comes%20into%20play%20when%20the%20ADFS%20configuration%20is%20leveraged.%26nbsp%3B%20I%20have%20a%20case%20open%20with%20Microsoft%20for%20it%20but%20so%20far%20they%20haven't%20been%20able%20to%20figure%20out%20the%20issue.%26nbsp%3B%20I've%20had%20the%20case%20open%20since%20December%202017.%26nbsp%3B%20It%20is%20very%20annoying.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

I'm having trouble getting MFA working with an Azure P2S IKEv2 VPN using RADIUS auth. It seems that the auth response timeout on the gateway is set so low (looks like 5 sec) that I don't have enough time to authenticate using MFA. I've verified this both with DUO Auth and Azure MFA; both have the same result.

 

I initiate the VPN connection, enter credentials, and before I can answer the phone call to verify MFA, another request is initiated and a second call comes through. If I successfully verify either or both calls, the connection fails. However, if I use a push notification to the cell phone for verification and I can verify in under 5 sec, the connection is completed.

 

I've also pointed my Palo Alto VPN device (where I have a specified timeout of 60 sec) at my MFA server and was able to log in successfully to that VPN - this determines the issue is not with my MFA server setup.

 

I've created a bug request with Microsoft on this as there doesn't seem to be a way to change the timeout.

 

Has anyone else encountered this issue or found a workaround??

1 Reply
Highlighted

I'm having a similar issue when leveraging MFA server against Office 365 logins.  I'm also experiencing the 5 second timeout.  I also have two factor authentication configured for my Fortigate VPN and Remote Desktop Services and the timeout is not an issue.  The timeout only comes into play when the ADFS configuration is leveraged.  I have a case open with Microsoft for it but so far they haven't been able to figure out the issue.  I've had the case open since December 2017.  It is very annoying.