We noticed that the Cisco ASA firewall caches passwords after a password change and the old password is working a few times before expiring and that the new one can be used without problem.
This documentation found on the Cisco website’s was helped me to troubleshoot this issue:
“The adaptive security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the adaptive security appliance does not resend the request to the authorization server.”
To solve that issue in my case, I’ve found a solution using the option “password-storage” in group attributes:
— Go to your Cisco ASA
— Activate the Enable mode
en
— Enter in configuration mode
conf t
— Edit the group attributes that is associated to your VPN
group-policy <VPN policy name> attributes
— Add the password-storage option
password-storage disable
— Test
— Save
wr