I do not know if this happens to others, but every time I edit a firewall policy that applies to a user, the authentication client disconnects.
Noel Zamora
We deployed over 50 client authentication agents at our remote RED sites last week. Every time we make a change to a policy, the client has to right-click on the auth agent and set credentials to get them back on.
Is this by design? Has anybody found a work around for this? This is quite the hassle!
So it looks like everyone is having this problem?
Hi All,
I checked the logs on a similar case as the same instance was not faced when I reproduced it in Labs. When a User authenticates through Sophos Authentication Agent, UTM will communicate through ping-pong packet for user status. The disconnection is pushed if the ping packet is not responded by the end system.
When I reproduced it and took a look at TCPDUMPS, UTM sends a ping packet from 1.2.3.4 on port 9922. Alongside, the agent sends a pong reply on port 50332.
20:11:43.136584 Port1, IN: In 16:cb:fe:f6:d0:26 ethertype IPv4 (0x0800), length 62: 192.168.16.2.50332 > 1.2.3.4.9922: Flags [.], ack 1, win 256, length 0
20:11:43.160135 Port1, IN: In 16:cb:fe:f6:d0:26 ethertype IPv4 (0x0800), length 165: 192.168.16.2.50332 > 1.2.3.4.9922: Flags [P.], ack 1, win 256, length 109
20:11:43.160203 Port1, OUT: Out 00:1a:8c:42:27:00 ethertype IPv4 (0x0800), length 56: 1.2.3.4.9922 > 192.168.16.2.50332: Flags [.], ack 110, win 229, length 0
20:11:43.160744 Port1, OUT: Out 00:1a:8c:42:27:00 ethertype IPv4 (0x0800), length 1394: 1.2.3.4.9922 > 192.168.16.2.50332: Flags [P.], ack 110, win 229, length 1338
20:11:43.162135 Port1, IN: In 16:cb:fe:f6:d0:26 ethertype IPv4 (0x0800), length 382: 192.168.16.2.50332 > 1.2.3.4.9922: Flags [P.], ack 1339, win 251, length 326
If you have an endpoint antivirus or anything intermediate, I think bypassing IP address 1.2.3.4 and ports (9922, 50332,50333) will resolve the issue.
Please update me if anyone executes this exercise.
Thanks
Hi All,
I checked the logs on a similar case as the same instance was not faced when I reproduced it in Labs. When a User authenticates through Sophos Authentication Agent, UTM will communicate through ping-pong packet for user status. The disconnection is pushed if the ping packet is not responded by the end system.
When I reproduced it and took a look at TCPDUMPS, UTM sends a ping packet from 1.2.3.4 on port 9922. Alongside, the agent sends a pong reply on port 50332.
20:11:43.136584 Port1, IN: In 16:cb:fe:f6:d0:26 ethertype IPv4 (0x0800), length 62: 192.168.16.2.50332 > 1.2.3.4.9922: Flags [.], ack 1, win 256, length 0
20:11:43.160135 Port1, IN: In 16:cb:fe:f6:d0:26 ethertype IPv4 (0x0800), length 165: 192.168.16.2.50332 > 1.2.3.4.9922: Flags [P.], ack 1, win 256, length 109
20:11:43.160203 Port1, OUT: Out 00:1a:8c:42:27:00 ethertype IPv4 (0x0800), length 56: 1.2.3.4.9922 > 192.168.16.2.50332: Flags [.], ack 110, win 229, length 0
20:11:43.160744 Port1, OUT: Out 00:1a:8c:42:27:00 ethertype IPv4 (0x0800), length 1394: 1.2.3.4.9922 > 192.168.16.2.50332: Flags [P.], ack 110, win 229, length 1338
20:11:43.162135 Port1, IN: In 16:cb:fe:f6:d0:26 ethertype IPv4 (0x0800), length 382: 192.168.16.2.50332 > 1.2.3.4.9922: Flags [P.], ack 1339, win 251, length 326
If you have an endpoint antivirus or anything intermediate, I think bypassing IP address 1.2.3.4 and ports (9922, 50332,50333) will resolve the issue.
Please update me if anyone executes this exercise.
Thanks
Sachin,
I am using Sophos for MAC and this is the output from tcpdump from my MAC:
192.168.0.7.55349 > 1.2.3.4.9922: Flags [F.], cksum 0x4201 (correct), seq 293920138, ack 1919232177, win 8192, length 0
192.168.0.7.55586 > 1.2.3.4.9922: Flags [S], cksum 0xe06e (correct), seq 2042191961, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 342598518 ecr 0,sackOK,eol], length 0
1.2.3.4.9922 > 192.168.0.7.55586: Flags [S.], cksum 0xb278 (correct), seq 120890518, ack 2042191962, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
192.168.0.7.55586 > 1.2.3.4.9922: Flags [.], cksum 0x455b (correct), seq 1, ack 1, win 8192, length 0
192.168.0.7.55586 > 1.2.3.4.9922: Flags [P.], cksum 0x0a6d (correct), seq 1:207, ack 1, win 8192, length 206
...1.2.3.4.
1.2.3.4.9922 > 192.168.0.7.55586: Flags [.], cksum 0x63a0 (correct), seq 1, ack 207, win 237, length 0
1.2.3.4.9922 > 192.168.0.7.55349: Flags [.], cksum 0x610c (correct), seq 1, ack 1, win 245, length 0
192.168.0.7.55349 > 1.2.3.4.9922: Flags [.], cksum 0x4201 (correct), seq 1, ack 1, win 8192, length 0
1.2.3.4.9922 > 192.168.0.7.55349: Flags [P.], cksum 0x08fb (correct), seq 1:38, ack 1, win 245, length 37
1.2.3.4.9922 > 192.168.0.7.55349: Flags [F.], cksum 0x60e6 (correct), seq 38, ack 1, win 245, length 0
192.168.0.7.55349 > 1.2.3.4.9922: Flags [R], cksum 0xfd23 (correct), seq 293920139, win 0, length 0
192.168.0.7.55349 > 1.2.3.4.9922: Flags [R], cksum 0xfd23 (correct), seq 293920139, win 0, length 0
1.2.3.4.9922 > 192.168.0.7.55586: Flags [P.], cksum 0x020c (correct), seq 1:146, ack 207, win 237, length 145
192.168.0.7.55586 > 1.2.3.4.9922: Flags [.], cksum 0x4401 (correct), seq 207, ack 146, win 8187, length 0
192.168.0.7.55586 > 1.2.3.4.9922: Flags [P.], cksum 0x2dea (correct), seq 207:213, ack 146, win 8192, length 6
1.2.3.4.9922 > 192.168.0.7.55586: Flags [.], cksum 0x6309 (correct), seq 146, ack 213, win 237, length 0
192.168.0.7.55586 > 1.2.3.4.9922: Flags [P.], cksum 0xf29a (correct), seq 213:266, ack 146, win 8192, length 53
1.2.3.4.9922 > 192.168.0.7.55586: Flags [.], cksum 0x62d4 (correct), seq 146, ack 266, win 237, length 0
192.168.0.7.55586 > 1.2.3.4.9922: Flags [P.], cksum 0x80b0 (correct), seq 266:303, ack 146, win 8192, length 37
1.2.3.4.9922 > 192.168.0.7.55586: Flags [.], cksum 0x62af (correct), seq 146, ack 303, win 237, length 0
192.168.0.7.55586 > 1.2.3.4.9922: Flags [P.], cksum 0xdb3c (correct), seq 303:393, ack 146, win 8192, length 90
1.2.3.4.9922 > 192.168.0.7.55586: Flags [P.], cksum 0xe93c (correct), seq 146:220, ack 303, win 237, length 74
192.168.0.7.55586 > 1.2.3.4.9922: Flags [.], cksum 0x42fb (correct), seq 393, ack 220, win 8189, length 0
1.2.3.4.9922 > 192.168.0.7.55586: Flags [P.], cksum 0xe61d (correct), seq 220:294, ack 393, win 237, length 74
192.168.0.7.55586 > 1.2.3.4.9922: Flags [.], cksum 0x42b1 (correct), seq 393, ack 294, win 8189, length 0
192.168.0.7.55586 > 1.2.3.4.9922: Flags [P.], cksum 0xf65c (correct), seq 393:515, ack 294, win 8192, length 122
1.2.3.4.9922 > 192.168.0.7.55586: Flags [P.], cksum 0xe031 (correct), seq 294:368, ack 515, win 237, length 74
192.168.0.7.55586 > 1.2.3.4.9922: Flags [P.], cksum 0x148e (correct), seq 515:605, ack 368, win 8189, length 90
1.2.3.4.9922 > 192.168.0.7.55586: Flags [P.], cksum 0x27f8 (correct), seq 368:442, ack 605, win 237, length 74
192.168.0.7.55586 > 1.2.3.4.9922: Flags [.], cksum 0x4149 (correct), seq 605, ack 442, win 8189, length 0
1.2.3.4.9922 > 192.168.0.7.55586: Flags [P.], cksum 0x359d (correct), seq 442:516, ack 605, win 237, length 74
192.168.0.7.55586 > 1.2.3.4.9922: Flags [.], cksum 0x40ff (correct), seq 605, ack 516, win 8189, length 0
192.168.0.7.55586 > 1.2.3.4.9922: Flags [P.], cksum 0x08e6 (correct), seq 605:679, ack 516, win 8192, length 74
1.2.3.4.9922 > 192.168.0.7.55586: Flags [.], cksum 0x5fc5 (correct), seq 516, ack 679, win 237, length 0
1.2.3.4.9922 > 192.168.0.7.55586: Flags [P.], cksum 0x3d91 (correct), seq 516:590, ack 679, win 237, length 74
192.168.0.7.55586 > 1.2.3.4.9922: Flags [.], cksum 0x406b (correct), seq 679, ack 590, win 8189, length 0
192.168.0.7.55586 > 1.2.3.4.9922: Flags [P.], cksum 0x1f0e (correct), seq 679:753, ack 590, win 8192, length 74
1.2.3.4.9922 > 192.168.0.7.55586: Flags [.], cksum 0x5f31 (correct), seq 590, ack 753, win 237, length 0
192.168.0.7.55586 > 1.2.3.4.9922: Flags [F.], cksum 0x401d (correct), seq 753, ack 590, win 8192, length 0
192.168.0.7.55626 > 1.2.3.4.9922: Flags [S], cksum 0x60f7 (correct), seq 3087639388, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 342663537 ecr 0,sackOK,eol], length 0
1.2.3.4.9922 > 192.168.0.7.55626: Flags [S.], cksum 0xdee8 (correct), seq 314960665, ack 3087639389, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
192.168.0.7.55626 > 1.2.3.4.9922: Flags [.], cksum 0x71cb (correct), seq 1, ack 1, win 8192, length 0
192.168.0.7.55626 > 1.2.3.4.9922: Flags [P.], cksum 0xe725 (correct), seq 1:207, ack 1, win 8192, length 206
...1.2.3.4.
1.2.3.4.9922 > 192.168.0.7.55626: Flags [.], cksum 0x9010 (correct), seq 1, ack 207, win 237, length 0
1.2.3.4.9922 > 192.168.0.7.55586: Flags [.], cksum 0x5f30 (correct), seq 590, ack 754, win 237, length 0
192.168.0.7.55586 > 1.2.3.4.9922: Flags [.], cksum 0x401d (correct), seq 754, ack 590, win 8192, length 0
1.2.3.4.9922 > 192.168.0.7.55586: Flags [P.], cksum 0xd071 (correct), seq 590:627, ack 754, win 237, length 37
1.2.3.4.9922 > 192.168.0.7.55586: Flags [F.], cksum 0x5f0a (correct), seq 627, ack 754, win 237, length 0
192.168.0.7.55586 > 1.2.3.4.9922: Flags [R], cksum 0x0e42 (correct), seq 2042192715, win 0, length 0
192.168.0.7.55586 > 1.2.3.4.9922: Flags [R], cksum 0x0e42 (correct), seq 2042192715, win 0, length 0
1.2.3.4.9922 > 192.168.0.7.55626: Flags [P.], cksum 0x9112 (correct), seq 1:146, ack 207, win 237, length 145
192.168.0.7.55626 > 1.2.3.4.9922: Flags [.], cksum 0x7071 (correct), seq 207, ack 146, win 8187, length 0
192.168.0.7.55626 > 1.2.3.4.9922: Flags [P.], cksum 0x5a5a (correct), seq 207:213, ack 146, win 8192, length 6
1.2.3.4.9922 > 192.168.0.7.55626: Flags [.], cksum 0x8f79 (correct), seq 146, ack 213, win 237, length 0
192.168.0.7.55626 > 1.2.3.4.9922: Flags [P.], cksum 0x3594 (correct), seq 213:266, ack 146, win 8192, length 53
1.2.3.4.9922 > 192.168.0.7.55626: Flags [.], cksum 0x8f44 (correct), seq 146, ack 266, win 237, length 0
192.168.0.7.55626 > 1.2.3.4.9922: Flags [P.], cksum 0x53a9 (correct), seq 266:303, ack 146, win 8192, length 37
1.2.3.4.9922 > 192.168.0.7.55626: Flags [.], cksum 0x8f1f (correct), seq 146, ack 303, win 237, length 0
192.168.0.7.55626 > 1.2.3.4.9922: Flags [P.], cksum 0x975e (correct), seq 303:393, ack 146, win 8192, length 90
1.2.3.4.9922 > 192.168.0.7.55626: Flags [P.], cksum 0xc561 (correct), seq 146:220, ack 303, win 237, length 74
192.168.0.7.55626 > 1.2.3.4.9922: Flags [.], cksum 0x6f6b (correct), seq 393, ack 220, win 8189, length 0
1.2.3.4.9922 > 192.168.0.7.55626: Flags [P.], cksum 0x4208 (correct), seq 220:294, ack 393, win 237, length 74
192.168.0.7.55626 > 1.2.3.4.9922: Flags [.], cksum 0x6f21 (correct), seq 393, ack 294, win 8189, length 0
192.168.0.7.55626 > 1.2.3.4.9922: Flags [P.], cksum 0xf722 (correct), seq 393:515, ack 294, win 8192, length 122
1.2.3.4.9922 > 192.168.0.7.55626: Flags [P.], cksum 0xc826 (correct), seq 294:368, ack 515, win 237, length 74
192.168.0.7.55626 > 1.2.3.4.9922: Flags [P.], cksum 0x2fbf (correct), seq 515:605, ack 368, win 8189, length 90
1.2.3.4.9922 > 192.168.0.7.55626: Flags [P.], cksum 0x9bdb (correct), seq 368:442, ack 605, win 237, length 74
192.168.0.7.55626 > 1.2.3.4.9922: Flags [.], cksum 0x6db9 (correct), seq 605, ack 442, win 8189, length 0
1.2.3.4.9922 > 192.168.0.7.55626: Flags [P.], cksum 0x1508 (correct), seq 442:516, ack 605, win 237, length 74
192.168.0.7.55626 > 1.2.3.4.9922: Flags [.], cksum 0x6d6f (correct), seq 605, ack 516, win 8189, length 0
192.168.0.7.55626 > 1.2.3.4.9922: Flags [P.], cksum 0x8234 (correct), seq 605:679, ack 516, win 8192, length 74
1.2.3.4.9922 > 192.168.0.7.55626: Flags [.], cksum 0x8c35 (correct), seq 516, ack 679, win 237, length 0
1.2.3.4.9922 > 192.168.0.7.55626: Flags [P.], cksum 0x012f (correct), seq 516:590, ack 679, win 237, length 74
192.168.0.7.55626 > 1.2.3.4.9922: Flags [.], cksum 0x6cdb (correct), seq 679, ack 590, win 8189, length 0
192.168.0.7.55626 > 1.2.3.4.9922: Flags [P.], cksum 0x90c9 (correct), seq 679:753, ack 590, win 8192, length 74
1.2.3.4.9922 > 192.168.0.7.55626: Flags [.], cksum 0x8ba1 (correct), seq 590, ack 753, win 237, length 0
1.2.3.4.9922 > 192.168.0.7.55626: Flags [P.], cksum 0xe69b (correct), seq 590:664, ack 753, win 237, length 74
192.168.0.7.55626 > 1.2.3.4.9922: Flags [.], cksum 0x6c47 (correct), seq 753, ack 664, win 8189, length 0
192.168.0.7.55626 > 1.2.3.4.9922: Flags [P.], cksum 0x84a2 (correct), seq 753:827, ack 664, win 8192, length 74
1.2.3.4.9922 > 192.168.0.7.55626: Flags [.], cksum 0x8b0d (correct), seq 664, ack 827, win 237, length 0
1.2.3.4.9922 > 192.168.0.7.55626: Flags [P.], cksum 0x79c2 (correct), seq 664:738, ack 827, win 237, length 74
192.168.0.7.55626 > 1.2.3.4.9922: Flags [.], cksum 0x6bb3 (correct), seq 827, ack 738, win 8189, length 0
192.168.0.7.55626 > 1.2.3.4.9922: Flags [P.], cksum 0x8cb1 (correct), seq 827:901, ack 738, win 8192, length 74
1.2.3.4.9922 > 192.168.0.7.55626: Flags [.], cksum 0x8a79 (correct), seq 738, ack 901, win 237, length 0
If you were right and there was a Firewall or something blocking the Ping-Pong mechanism, it should not work at all. As other guys wrote here, the Client Authentication was working with no issue until MR-2.
Anyway when a policy rule is changed, the problem appeared since the first XG release. So you should investigate why the ping-pong mechanism stops working after a policy rule is changed or when the computer comes back from sleep mode.
If you need to investigate, let me know and I will send you all the logs you need.
Thanks.
Sachin,
I think there is some kind of misunderstanding or something...
We are not saying that client authentication does not work. We are saying that it does not automatically login after going out of sleep.
When the computer (Mac) is awake, you can shutdown and start CAA as many times as you want and it will ALWAYS login. I havent seen any example of it failing in this scenario (or maybe just one when I have forgotten to switch WiFi on ;-) ).
I will repeat after Luk - It started after update to MR-2, not before !
This is also happening with user groups. We use remote agent (1.2.0) and get disconnected when changes are made to SYSTEM>AUTHENTICATION>GROUPS with adding or changing the existing groups?
Just to recap, if we make any change to a firewall policy, all clients using the authentication agent are disconnected. They must then have to right-click on the agent and "set credentials" in order to get back connected. This also applies when creating or modifying a user group.
We will be contacting support regarding this, as this makes changing any policy or group an after hour job...? We have over 50 users using the client authentication agent at all our RED locations, as you would expect, they are unhappy when we make a change.
Unless I am missing something?
Thanks,
Dave
