Cisco ASA RADIUS VPN Hitting Rate Limits
May 20, 2025
Okta Classic Engine
Multi-Factor Authentication
Okta Identity Engine
Overview
Cisco ASA RADIUS VPN Rate Limit issues - /api/v1/radius getting bombarded with repeated requests.
Applies To
- Cisco ASA (RADIUS) app for VPN
- Multi-Factor Authentication (MFA)
Cause
As per Cisco, the ASA automatically retries every 10 seconds in a retry interval. The Max Failed Attempts is going to ensure that these continue up until 5 attempts, as counted by Cisco, which causes the Okta Verify Push to continue to go off and stack up long after the attempt is completed.
Solution
The Max Failed Attempts setting needs to be set to 1. If it is set to 5, the Cisco ASA will continue requesting on the same attempt 5 times every 10 seconds.
NOTE: This is a separate setting from the Timeout and Retry Interval settings, as outlined in the Install and configure the Okta IWA Web agent for Desktop Single Sign-on documentation.
