https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-with-MFA-push/m-p/147126#M6883 <P>Hi, it says failed log in...I did the wireshark on ISE and CP. Everytime the reject is sent from the ISE, the request is sent from CP.</P> Wed, 27 Apr 2022 05:53:33 GMT petermatuska 2022-04-27T05:53:33Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-with-MFA-push/m-p/147117#M6881 <P>Hi,</P><P>we are extracting username from user's certificate (without password) and sending it to the RADIUS server - ISE. ISE sends it to Duo MFA in order to send the push notification. When user decides to Deny the notification, the Access-Reject is sent from Duo to ISE and from ISE to Check Point. The problem is that after the first Access Reject the second Access-Request is sent from FW and user has to Deny the push 2 more times and after that the VPN client says Denied access.</P><P>Where can this "3 times counter" can be changed so after first Deny the connection is rejected?</P><P>&nbsp;</P><P>thank you</P> Tue, 26 Apr 2022 20:40:56 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-with-MFA-push/m-p/147117#M6881 petermatuska 2022-04-26T20:40:56Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-with-MFA-push/m-p/147120#M6882 <P>There is really no "3 time counter" anywhere that Im aware of...what does the log show on CP when user rejects the notification?</P> Wed, 27 Apr 2022 01:32:57 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-with-MFA-push/m-p/147120#M6882 the_rock 2022-04-27T01:32:57Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-with-MFA-push/m-p/147126#M6883 <P>Hi, it says failed log in...I did the wireshark on ISE and CP. Everytime the reject is sent from the ISE, the request is sent from CP.</P> Wed, 27 Apr 2022 05:53:33 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-with-MFA-push/m-p/147126#M6883 petermatuska 2022-04-27T05:53:33Z