Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 4577 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Authentication Bugs found: SFOS 17.1.1 MR-1

David Carskadon

I have been fighting for months now authentication problems, and I have finally found 2 separate causes:

Primary symptom: Remote SSL vpn: authentication failures.

Cause #1: Spaces in local user account names.  In this case, authentication was working fine, nothing of interest in the access_server.log.  Authentication was working for everything, but the sslvpn log showed authentication errors, despite logs in AD showing success.  After correcting spaces in names under users, this problem never came back.

Cause #2: STAS causing a loop lock for authentication (see below).  In this case, with STAS enabled, requests from a terminal server completely killed authentication for everything.  I resolved this simply by creating a clientless users for the XenApp (terminal servers), so that the firewall would stop trying to figure out web requests from it.

For Cause #1, I have to assume there is a programming error, specifically with some SQL statement that is not escaping strings properly.

For Cause #2, looks like authentication is not multi-threaded, and there is no logic to deal with potential looping issues on STAS.

 

ERROR     Aug 08 08:31:26 [4143598080]: (_sqlite_db_handle_get_liveuserinfo): GET_LIVEUSER_INFO_TO_LOGOUT_ANY found no entries for IP 10.1.7.25 (sqrs 101)

ERROR     Aug 08 08:31:26 [4143598080]: handle_internal_logout_req: SQLITE_REQ_GETLIVEUSER query failed

ERROR     Aug 08 08:31:26 [4143598080]: do_authorization_phase2: Can't Logout User from IP: '10.1.7.25'

ERROR     Aug 08 08:31:26 [4143598080]: (write_subsysqueue): POSTGRES_DB CLIENT: write error 11 (Resource temporarily unavailable), wq=0x9f2cbc8 filled_len=16

ERROR     Aug 08 08:31:26 [4143598080]: (write_subsysqueue): POSTGRES_DB CLIENT: write error 11 (Resource temporarily unavailable), wq=0x9f2cbc8 filled_len=32

ERROR     Aug 08 08:31:26 [4143598080]: (write_subsysqueue): POSTGRES_DB CLIENT: write error 11 (Resource temporarily unavailable), wq=0x9f2cbc8 filled_len=48

ERROR     Aug 08 08:31:26 [4143598080]: (write_subsysqueue): POSTGRES_DB CLIENT: write error 11 (Resource temporarily unavailable), wq=0x9f2cbc8 filled_len=64

ERROR     Aug 08 08:31:26 [4143598080]: (write_subsysqueue): POSTGRES_DB CLIENT: write error 11 (Resource temporarily unavailable), wq=0x9f2cbc8 filled_len=80



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Welcome to the Sophos Community!

    My apologies for the inconveniences you experienced with your setup, and thanks for sharing your investigation.

    Did you already have a support case raised for these? If so, would it be possible to PM these to me so I can follow up accordingly with our team?

    Thanks!

Reply
  • 0

    Hi  

    Welcome to the Sophos Community!

    My apologies for the inconveniences you experienced with your setup, and thanks for sharing your investigation.

    Did you already have a support case raised for these? If so, would it be possible to PM these to me so I can follow up accordingly with our team?

    Thanks!

Children
  • 0 in reply to FloSupport

    I have the same problem with the  17.1.3 MR-3

    this bug haven't been solved in the  17.1.3 MR-3 firmware?

  • +1 in reply to Renzo_Snia

    The only re-occurrences I have run into is that on some firewalls (we have many), for some unknown reason, applying firmware updates might change users or their groups and set mac binding to enabled.  As far as I can tell, mac-binding does not seem to do anything other than cause the ssl vpn to not work.  I fail to see it's usefulness.  If you check this on purposes and have a legitimate mac-address here.  A user can do anything on the firewall from a different mac-address, except log into the ssl vpn.  Even if the mac-address is correct, they still can't log into the ssl-vpn, so as far as I can tell, mac-binding is simply something that makes the ssl vpn not work.  It seems to get enabled randomly on firmware updates.  I say randomly, as I can update firmware on 7 different firewalls, and maybe users on 1 of the 7 suddenly can't use the VPN immediately after the update, only to find that mac-binding magically got turned back on. 

    So, I guess check for this. 

  • 0 in reply to David Carskadon

    thanks for the answer.

    I just applied what you said: disabled all the mac binding in all the user groups.

    really my first issue is that during this problem happening the cpu of the firewall get the 100% and any kind of authentication stop working (STAS, web, etc..).

    I will see if this configuration will solve....