Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 11771 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF/OTP combination couses session disconnects due to Sophos bug

MartinTol

Using WAF and OTP are cousing session disconnects. The solution will come in release 9.4xx witch has no official release date. OTP is a paid extra service on the utm. Sophos is leaving me in the cold. We have spend a lot of money on the issue, and need to spend extra money on een alternative solution. Can we get compensation for these costs?

issue:http://sophos.com/kb/117759

Sometimes OTP authentication for WAF didn't work. When handling a client request, the current process has to have the data structure holding all known user sessions in it's memory. If this is not the case, no user session for the user currently being handled will be found and a new one will be initiated. During this initialization process, the user's credentials will be verified against AUA. In case of OTP this will fail since the user's client sent a session cookie containing a password with an old OTP token.



This thread was automatically locked due to age.
  • I would suggest that you open up a case with Support and discuss with them.
  • One of my customers seems to have the same problem - should be fixed in 9.370

    I'll call support now.


    ID34447 9.306 Issue with WAF Rev. Auth. and OTP
    ------------------------------------------------------------------------
    Description: Sometimes OTP authentication for WAF didn't work.

    When handling a client request, the current process has to
    have the data structure holding all known user sessions in
    it's memory. If this is not the case, no user session for
    the user currently being handled will be found and a new
    one will be initiated. During this initialization process,
    the user's credentials will be verified against AUA. In
    case of OTP this will fail since the user's client sent a
    session cookie containing a password with an old OTP
    token.
    Workaround: Please contact support referring to this bug ID to provide
    a workaround for that issue.
    Fixed in: 9.370
  • Hi,

    this is fixed in 9.4.

    9.4 is in beta since yesterday, so you could try out yourself.

    More information regarding the beta can be found here:
    community.sophos.com/.../74654

    Sabine
  • in reply to Evianne

    The problem still exists in Firmware version: 9.400-9. My ticket is recorded for months now, but afther gathering log's it's been verry quiet. I hope someone can point me to a solution or workaround using different software or products.

  • in reply to Scott_Klassen

    The problem is confirmed by Sophos and recorded under #5504658 since November 2015.