Two-Factor authentication failures

Hi, we have a few clients using GlobalProtect as VPN (various versions), some are authenticating using 2FA, using SecurEnvoy as a RADIUS server.

What we're seeing is as follows - the user has an authenticated VPN connection, then their network connection drops for some reason (they put the laptop to sleep, their wireless goes off, etc. etc. - the cause doesn't appear to be relevant).

When the physical network connection re-establishes, GlobalProtect tries to re-establish the VPN link. When it does, as far as the user sees, they're prompted for a new SecurEnvoy code, they enter it, all's well. However, what has happened in the background, it seems, is that GP has already tried to use its previous SecurEnvoy code to authenticate with RADIUS. That fails, obviously - SecurEnvoy reports a "Soft Token Already Used" error, GP shows "Invalid username or password" in the system log. SecurEnvoy also increments its bad password count for that user. Only then does the user get prompted for a new code.

If the user then dismisses the prompt to sign in to VPN - either by clicking "cancel" or the "X" - the process repeats. If they dismiss the prompt to connect ten times (the max number of failed logins permitted in SecurEnvoy), their account is disabled and they can't connect at all until their account is re-enabled. That ten times can happen in the space of 6 or 7 minutes.

We've mitigated this to some extent with advising users on the correct behaviour - just log in the first time when prompted - and the number of lockouts has dropped, but we still see the errors, and it's still a potential problem.

Is this the expected behaviour from GlobalProtect? Anyone else seen this kind of behaviour? With other RADIUS solutions?

Issue being seen on - for example - Software Version 7.1.0, GlobalProtect Agent 3.1.4 with SecurEnvoy Version 7.2.504 running on 2008 R2

Appreciate any comments.

Cheers

Andrew