Client Authentication doesn't prompt

[sylaus]

Hello, since we made the update to GNX R61 (Build 602000193) I have a problem with the client authentication.
When users click on the browser, sometimes he don`t get the login prompt from my Firewall. It is working for an amount of times and suddenly stop to work.
If I bypass the authentication(opening the rule) it`s work.
My Firewall`s are clustered.(two Nokia ip380)
Any idea ???

Thanks.

[ngxadmin]

I was just going to create a similiar entry. Since I upgraded from R60 to R62, I have had issues with client authentication. The workaround is to reboot the firewall nodes. Client auth will usually start to fail sporadically after a couple weeks and then pretty much stop working all together. SPLAT - Distributed - Management and 2 enforcement nodes. Had the authentication in place since at least R55 (maybe R54) and there was never an issue.

[melipla]

I've had flaky Client Auth / User Auth issues in the past, where it work work for a while and then become spotty and eventually stop working. I could temporarily fix the problem by pushing the policy again, but it would stop working after a variable amount of time.

After working with support they told me I had to do a fresh install of SPLAT, since then my Auth issues have not reappeared.

HTH

[sylaus]

Very intersting, do you have more info. about SPLAT ??? It`s mean nothing for me.

[ngxadmin]

SPLAT is short for Secure Platform. Its kind of an inherent underlying OS that includes the Checkpoint software. I appreciate the entry that melipla made and it rings a bell for me. My node 1 which we normally run from was an upgrade (leaving R60 and R60HFA2 stuff on the box). My node 2 was a format/fresh install. Im going to failover to node 2 this week and see what happens regarding the authentication. Ive heard before that doing a fresh install of a major release is better than trying to do an upgrade.

[ngxadmin]

After two weeks on node 2, no auth issues. Node 1 probably requires a rebuild/install to alleviate the issue.

[vandavauk]

We are having the same issue as well on two different clusters. It started after going to R62 back in August. Currently I am working with Nokia to pin down the issue.

To reiterate the issue:
Users quit getting the popup prompt for authentication, and eventually the session times out and they get a page not found error. All other traffic passes fine. If the same user tries to get to a site that does not require authentication it works fine. If a user is already authenticated when the issue starts, they continue to work fine.

It can be anywhere from a few days to a month before it happens, and it starts with just a few people and then starts to grow rapidly. A “push”, fail over or reboot temporarily resolves the issue.

I have checked memory, CPU and disk usage and I/O on all devices involved (including the Radius server) for any anomalies. Nothing seems to be out of the ordinary. It can happen at times of high traffic or low. I just can’t find any corresponding triggers and nothing is showing up in the logs.

At this moment I am running a continuous capture on our radius server and the next time it happens I hope to prove weather the firewall quits asking, or if the radius server quits replying.

I will post anything new I find…
-Doug

Just an FYI:

Our setup is:
Two clusters running at different locations.

An IP560 (Diskless) cluster (Utilizing VRRP to cluster) running IPSO 4.1 Build 28 and R62 build 620.

An IP380 cluster (Utilizing VRRP to cluster) running IPSO 4.1 Build 28 and R62 build 620.

For Authentication: Funk (now Juniper) Steel Belted Radius

[chillyjim]

Tell Nokia to escalate this call to Dallas right away. There is an open case that sounds a lot like this to me. Contact me here (PM) if Nokia needs my TAC contact.

[ngxadmin]

I posted some time ago that I thought I had this resolved with a fresh install of SPLAT on the enforcement node, but that turned out to be incorrect. Eventually it got back to the same issue - no auth prompt. I have to reboot the enforcement node to get it working again. At least 3 checkpoint cases, no resolution.

[chillyjim]

If this is an immediate problem for anyone please contact me directly.

When there is a fully tested and approved fix, I will report it here.