Login expired on 31-dec-2003.

[usman_a]

chaps

has anyone com across the following error?

Check Point FireWall-1 authenticated Telnet server running on firewall
User: test1
PASSCODE: **********
User test1 authenticated by SecurID
Login expired on 31-dec-2003.

The auth is set to user auth within the rule.

i have had a looka round the CP SK and came across something that suggested the error is related to time delay from a slow connection. I have checked all the details ie their user profile is set to2017, sec-id id is new and has few years left on it.

has anyone seen this error before?

[melipla]

Is the response that the SecurID server sends to the firewall normal?

[usman_a]

Yes, the user connects to the fw via telnet on port 259 for auth. The user input their user name followed by pin+secid when prompted. This is where they are prompted with the Login expired on 31-dec-2003 message.

[melipla]

There's only two places where this could be expired. Either the SecurID user's token has expired. Or the Firewall user has expired. The message sounds suspiciously like a firewall user expired message--even the date format is the same as the user profile. What happens when you change the check point user's expiration to a different date, such as 01-01-2007, does the date in the error message change? I believe you have to push the policy after you change the expiration date....

Of course I'd also verify the proper time on each host, the firewall, the securid server and the client.

[usman_a]

i thought that too.....i doubled checked the users profile and its date is set to 2016 by default and i changed it to 2017 and pushed the policy. I also check the secid on the ace server and the secid token has about 2 years left ..However the only thing i do not have control over is the client the user will connect to after the auth has happened.

Also the times are correct on the machines I have control over.

There is one thing to note.....the issue isn’t happening all the time it is intermit which leads to me to believe two things; the connection their trying to connect from is very much saturated and the point of initial connection to the point the user submits the password exceed the cp’s 2 minutes auth timers. if that’s not that case then its the target system they re trying to get to is at fault (i say as the initial rule was a user auth for ftp/telnet).

[usman_a]

All,

i know that i asked this question while when i came across this problem for te first time but it some hoe managed to fix itself. However i am seeing the same problem once again.

i am running a pair of crossbeam c25 with r55 and the last version of ace. The user auth by the webpage on port 900 and that’s where the get the error from. Can this be caused by their local machine ntp settings or firewalls not correctly talking back to the ace server? licences?

[RayPesek]

I believe that was the default FW-1 user expiration date.

Ray

[usman_a]

the default on the firewall is set to 31-Dec-2016 and only about 6 users out of a 100 are affected......

any ideas anyone?

[melipla]

Quote:

Originally Posted by usman_a

the default on the firewall is set to 31-Dec-2016 and only about 6 users out of a 100 are affected......

any ideas anyone?

Is it a coincidence that the problem is occurring almost a year later, around the time of the old day light savings date?

[usman_a]

that's a interesting notion which i will check out however this is something that happens once in a while. The original post was before we upgraded the FW hardware and it stopped and now its happening on the new platform...