Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 3 subscribers
  • Views 2844 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD Base user internet issue in HA

yualme
Dear Team,

I have 2 ASG 8.309(Node-1 & Node-2) 525 In HA (Active/Passive) , configuration.

And we have Cluster licence(Active/Active) & planning for the same but we are facing the issue in the Node-2(When it is master)

We are using Active Directory Single-Sign-On (SSO) for user authentication.

Node-1=>  (When Master)No Issue with AD User.

Node-2 => (When Master)Username & Password Window Pop-Up to AD User , at that time there is no issue with IP base users.(Winbindd service stoppes of Node)

So we need to manually fetch the users in Node-2 from AD to start winbindd service

OR

Need to give this command in Node-2 => /var/mdw/scripts/ntlm start

After that the internet works normally

PFA log of HA & Fallback massages.

And Some comman errors I'm getting while the issue

Do let me know if extra log or information is needed from my side


This thread was automatically locked due to age.
  • 0
    I moved this out of the German forum.

    Barry
  • 0
    Please tell us how your configuration compares to HTTP-S Proxy Access with AD-SSO.

    Cheers - Bob
  • 0
    Hi Bob,

    You are life seviour [:)]

    I have checked the setting it seems fine.

    And i haven't faced the issue since 20 hours but still i'm getting the below mentioned logs

    My ticket is also going on with Astaro since last 21 days , but no  proper answer [:(]

    What is the meaning of these logs

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    WEB FILTERING LOG

    2013:04:06-16:26:53 FW_INTRA_HO-2 httpproxy[4954]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xa1e9478" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:06-16:26:58 FW_INTRA_HO-2 httpproxy[4954]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9ec1d08" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:06-16:26:59 FW_INTRA_HO-2 httpproxy[4954]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xbf31d768" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:06-16:27:37 FW_INTRA_HO-2 httpproxy[4954]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc04e4168" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:06-16:27:58 FW_INTRA_HO-2 httpproxy[4954]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc069a888" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:06-16:28:12 FW_INTRA_HO-2 httpproxy[4954]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9eb5a00" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:06-16:28:31 FW_INTRA_HO-2 httpproxy[4954]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9ee5328" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    FALL BACK LOG

    2013:04:06-11:56:13 FW_INTRA_HO [daemon:err] winbindd[28415]:    Could not write result
    2013:04:06-11:56:18 FW_INTRA_HO [daemon:err] winbindd[28910]:  [2013/04/06 11:56:18.945038,  0] winbindd/winbindd_dual.c:1577(fork_domain_child)
    2013:04:06-11:56:18 FW_INTRA_HO [daemon:err] winbindd[28910]:    Could not write result
    2013:04:06-11:56:44 FW_INTRA_HO [daemon:err] winbindd[28912]:  [2013/04/06 11:56:44.019597,  0] winbindd/winbindd_dual.c:1577(fork_domain_child)

    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    HA LOG

    2013:04:06-15:21:42 FW_INTRA_HO-2 ha_daemon[6444]: id="38A1" severity="warn" sys="System" sub="ha" name="Current load average 10.69 is high!"
    2013:04:06-15:21:43 FW_INTRA_HO-1 ha_daemon[6340]: id="38A1" severity="warn" sys="System" sub="ha" name="Current load average 10.69 of node 2 is high, please check you system!"
    2013:04:06-15:25:46 FW_INTRA_HO-2 ha_daemon[6444]: id="38A1" severity="warn" sys="System" sub="ha" name="Current load average 11.04 is high!"
    2013:04:06-15:25:47 FW_INTRA_HO-1 ha_daemon[6340]: id="38A1" severity="warn" sys="System" sub="ha" name="Current load average 11.04 of node 2 is high, please check you system!"

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Note => DNS entry of astaro is no coming in to the AD DNS after joining the ASG to AD.I'm manually creating the entry of ASG in the DNS. (Is this thing is creating any issue ??)


    And another thing is that i don't have any issue , when Node-1 is master . Morethan that I do have 5 more location with ASG 320 with same AD setting and they are working fine.

    I'm only having the issue when Node-2 is master.
  • 0
    Try googling site:astaro.org "auth_adir_getsid_callback" to see how others have solved this.  I think you'll see that the first thing to try is to remove the UTM from the AD, and then rejoin the AD from the UTM.  If you have other Domain Controllers in your forest, be sure to let the deletion propagate to them before you do the rejoin.

    Any luck?

    Cheers - Bob
  • 0
    Maybe the brutal method of a breaking the ha, reinstall node2 clean from iso and recreating ha is an option.

    Regards
    Manfred
  • 0
    Manfred, how much luck have you had just doing a quick Backup/Restore to force a reload of the config file?  I think I'd try that first.  If that didn't work, I'd try Rebooting Node 2 when it is the Slave.  If that didn't work, I'd try a Factory-Reset on Node 2 .  This is done by turning HA off when Node 1 is Master causing a Factory Reset on the Slave.  Wait a minute to confirm it's resetting, and then turn Hot-Standby back on.

    But, I'm afraid in this case that your "brutal method" may be the only thing that will work. [:(]

    Yagnesh, please let us know what worked!

    Cheers - Bob
  • 0 in reply to BAlfson
    Hi Team,

    Sorry for the late reply

    Fallback log & HA log's error resolved after running the NTP server.

    But I came to know that the Web security log's error , I'm getting is from the IP base user only(Not from the AD base user) & this issue is still continue.

    IP base user(My definition [:)]) => Defined in the "Web Filtering Profile => Proxy profile" , and they 
    are not the member of AD base internet access.

    Now any clue to stop them.

    2013:04:15-15:34:30 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc3152030" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:38:07 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc298ccc0" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:38:12 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xa081a18" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:38:17 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc2395b70" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:38:22 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xa3d72f0" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:38:29 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9ffa498" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:41:33 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xbf87a030" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:42:11 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc298c9f0" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:42:14 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xa1301b8" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:47:16 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xbfe01e78" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:47:18 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc2143b88" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:47:49 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc2978b98" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:47:54 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xbf87a030" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:48:18 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9ffa600" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:48:20 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xbc9fd738" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:49:35 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc2b61cd8" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2013:04:15-15:50:53 FW_INTRA_HO-2 httpproxy[6793]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xbf83fa20" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
  • 0
    Posts 5, 6 & 7 above, from Manfred and me, are your answer.

    Cheers - Bob