RSA tokens, ACE Server, Cisco concentrator timing help

[scott at ehrlichtronics.com (Scott Ehrlich)]

I know this email involved Windows stuff, but because it involves RSA and
Cisco stuff, too, I thought it might still be appropriate...

Part of my contract job has involved adding new RSA tokens via ACE Server
to user accounts (in an Active Directory environment).  Of about 300 new
tokens, the first 30 went almost flawlessly.  I added the first 30 token
serial numbers to the ACE Server console, testing each token by logging in
successfully.

The next batch of about 30 tokens were more of a mixed result.  Half the
tokens prompted for a New Pin, then took the new pin and the next six
digits on the token.  The other half took the new pin, but failed when the
next code came up, with the error:

"Secure VPN connection terminated locally by the client.   Reason 413:
User authentication failed"

We are using either Cisco 3300 or 3500's, located at three or four sites
around the country, with one of those sites in Ireland.

I am told the syncing is instant for all phases of this.

We've checked google and Cisco's site for ideas, but none of them seem to
answer this problem.   Every token I've entered has prompted for a New
Pin, but half will not take the new pin + next code.   If you look at the
success/failure markings I have on a spreadsheet, the pattern lends itself
to a timing issue somewhere, but where?

We have support calls in to at least Cisco, and maybe RSA, for additional
help.

Any ideas from the list would be most appreciated.

As a side note, sorry for my job search spams.   I have other avenues I am
actively using.   I was simply trying to reach the widest possible
audience.

A good new year to all.

Scott