RSA authentication failure

[maurox]

Hi all,
Im having some problems with the securid authentication:
after a Smartcenter upgrade , from R55 to R61 , all the user are not authenticated because the firewall are natting ( with rule 0) his real IP address with the Virtual IP address ( both the ha modules still having R55).
At the moment we can't change the ACE configuration ( and I'm wondering , when it will be possible, how to configure two agent host with the same IP) so the ACE server is rejecting all the request....
Do anyone knows how to disable this new feature ( nat with the VIP address for securid-udp packets) or how to solve the problems with the ace server ?
regards,
maurox

[northlandboy]

Two options here:

1/ Uncheck the option in the cluster configuration to hide outbound traffic from the clusters

2/ This is mentioned in the NGX release notes (not sure about the R61 notes) page 21 - you can edit table.def to tell it not to NAT UDP/5500 traffic.

[abusharif]

uhm dont follow your post entirely but...........

on your gateways:

create the file under /var/ace called sdopts.rec

in that file enter:
CLIENT_IP=x.x.x.x

where x.x.x.x is the ip number you want request to ace server to come from. Since you are running a cluster, this could with benefit be you vip ip number. This setting will force gateways to send that ip# as a source when talking to the ace server.

it unfortunately requires cpstop;cpstart to get it active.


.....or....... add secondary ip's to the agent host on the Ace server.

[maurox]

Hi all ,
The IP address configured in /var/ace called sdopts.rec is the Phisical IP address of the module but the cluster is sending the request to the ace server natting this IP ....I'm going to try as suggest northlandboy....

Thanks
Maurox

[maurox]

Hi all,
on the "old" ( R55) cluster there isn't the flag for hide the outgoing traffic with the cluster IP.
But i find the solution on the release notes ( as suggested by northlandboy ) that say:
"When employing SecurID for authentication, it is recommended to define each cluster
member separately on the ACE/Server with its own unique (internal) IP address. In
addition, to send packets to the ACE/Server with their unique IP addresses and not the
VIP address, edit the file table.def, located in $FWDIR/lib. Change the line starting
with no_hide_services_ports to, for example, no_hide_services_ports = {<5500,
17>}, where 5500 is the service port and 17 (UDP) is the protocol."
I'm going to test it.....
Maurox

[Porter]

I set a dns entry for the clusteradress and defind it as agent host in RSA, works fine in any case, of course no nat etc

[maurox]

I think this is better ( but I have to speak with the RSA admin because unfortunately I can't configure it directly) and the next monday I'm going to test it.
Thanks ,
maurox

p.s: on the ace server did you configure ( on the dns entry) the real name of the cluster or this is not important ?

[Porter]

I used the name that's in dns, it's important that the name is the same as in dns, ace server makes reverse lookup before accepting authentication from definded agent host

[abusharif]

Quote:

Originally Posted by maurox

Hi all,
on the "old" ( R55) cluster there isn't the flag for hide the outgoing traffic with the cluster IP.
But i find the solution on the release notes ( as suggested by northlandboy ) that say:
"When employing SecurID for authentication, it is recommended to define each cluster
member separately on the ACE/Server with its own unique (internal) IP address. In
addition, to send packets to the ACE/Server with their unique IP addresses and not the
VIP address, edit the file table.def, located in $FWDIR/lib. Change the line starting
with no_hide_services_ports to, for example, no_hide_services_ports = {<5500,
17>}, where 5500 is the service port and 17 (UDP) is the protocol."
I'm going to test it.....
Maurox

Just note that if you make HFA upgrades in future they will probably overwrite your .def file (just in case it stops working one day ;))

[maurox]

Thanks for your suggestion but I thinks this is valid for the Ngx modules ( all the modules are R55 and I' m going to test this solution changing the file on the NGCMP directory of the smartcenter...)
Regards,
maurox

[maurox]

I have changed the file on the NGCMP dir and it works ...
Thanks for all your suggestion,
Maurox

[delta19]

Quote:

Originally Posted by abusharif

.....or....... add secondary ip's to the agent host on the Ace server.

This worked great for me after a network update which meant the Firewall's inside IP changed. Couldn't work out what was wrong at first as I didn't set up the ACE. When sniffing I noticed Checkpoint was talking from the new IP to the ACE, so guessed it maybe checked where request came from given it is a Secure Server...and that fixed it. Thanks...and also thanks to Google which picked up your post.