totp token preserved in HA ?
Alberto Newbie ✭
Is the totp token (for example for 2FA in sslvpn) preserved on failover of machines to unity ?
or is the totp token associated with the macaddress of physical unit ?
Category: High End Firewalls
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
@Alberto it's preserved, otherwise this would be a disaster everytime the unit switches the TOTP binding would became invalid.
But fair question, we've seen questionable things in the past :)
Thanks. I don't understand last comment. I think this problem is about issue GEN-999 ?
yesterday I had a failover on a 6600. Invalid otp result. I fixed it at the moment with another failover back to the main unit. Failover due to a process: "05/11/2023 10:35:24.656DP Core 14 GAV Processing taking 1 seconds05/11/2023 10:35:26.672Reboot due to DP Core hang05/11/2023 10:35 :26.672Core Trace 14:
Firmware old but currently stable 6_5_4_7-83n--HFGEN6-1249
@Alberto do you believe that GEN6-999 might affect you? This issue sounds like it's meant for users not already binded their TOTP, but I might be wrong here, never faced this specific one.
TOTP authentication is not supported on a High Availability pair when the same user has different QR code and scratch code on primary/secondary HA firewalls. GEN6-9
If you can reproduce this issue with a simple failover I would raise a ticket for this.