topic Re: Remote Access VPN Authentication Failure in Firewall and Security Management

Remote Access VPN Authentication Failure

K_montalvo — Wed, 29 Dec 2021 15:51:43 GMT

Hello Experts!

We are currently experiencing issues with the Remote Access VPN. The issue is when new user is created on the existing (Working) ClientlessVPNGroup and try to connect via browser fails the login with the error: "Unknown user". T/S was made creating new users using the same default template and the same results. However when creating new user on the internal AD which is part of the same RemoteAcessVPN Community and FW Rule it authenticates without issues. Publish & Install and Install Database was properly done.

Current environment:
SMS r81.10 (Was upgraded like 19 days ago from r80.30 to r81.10 and everything was seamlessly working until yesterday.
Cluster (2 Gateways) running r80.30

Only change that was made yesterday was on the default template object witch is included on the uploaded file. I Appreciate any tips or suggestions on this issue.

Thanks,

Re: Remote Access VPN Authentication Failure

the_rock — Wed, 29 Dec 2021 15:59:17 GMT

Hey bro,

Did you make sure user belongs to the group allowed to access stuff via remote access community?

Andy

Re: Remote Access VPN Authentication Failure

K_montalvo — Wed, 29 Dec 2021 16:00:16 GMT

Yeah brother!

Re: Remote Access VPN Authentication Failure

the_rock — Wed, 29 Dec 2021 16:02:27 GMT

Normally, if you add user via AD, say if you have radius auth (just as an example) and AD integrated via dashboard, sometimes you may need to push policy to reflect the changes, though in most cases, it would reflect right away.

Andy

Re: Remote Access VPN Authentication Failure

the_rock — Wed, 29 Dec 2021 16:02:49 GMT

Email me some screenshots directly, let me check.

Re: Remote Access VPN Authentication Failure

K_montalvo — Wed, 29 Dec 2021 16:13:59 GMT

Yeah push policy was done with new AD user and worked but the issue at the moment is presented when creating new local users, current existing local users on the same group are working.

Re: Remote Access VPN Authentication Failure

K_montalvo — Wed, 29 Dec 2021 16:14:12 GMT

Done buddy!

Re: Remote Access VPN Authentication Failure

the_rock — Wed, 29 Dec 2021 16:14:51 GMT

K, just send zoom or webex, I think I can figure this out quick...Im sure its some minor misconfiguration.

Re: Remote Access VPN Authentication Failure

K_montalvo — Wed, 29 Dec 2021 16:21:40 GMT

Done

Re: Remote Access VPN Authentication Failure

Timothy_Hall — Wed, 29 Dec 2021 16:30:28 GMT

Sounds suspiciously similar to the following, what happens if you set the template expiration date to 2029 instead of 2030 and then create a user with it?

sk167103: Expiration Date configured to after 2030 is considered as expired

Re: Remote Access VPN Authentication Failure

K_montalvo — Wed, 29 Dec 2021 17:49:47 GMT

Thanks for the suggestion @Timothy_Hall will try that and keep you guys posted of the results.

Re: Remote Access VPN Authentication Failure

the_rock — Wed, 29 Dec 2021 17:58:20 GMT

@Timothy_Hall ...I just did remote with @K_montalvo and since we could not look at the actual environment, we went through some basic setup on lab mgmt and I also saw that for one customer I always help with, any local vpn users are by default set to same date (December 31st, 2030) and works fine. I believe sk you mentioned strictly references to new admin, as "never" option is not there for vpn user. Either way, I asked Kenny to try change it to say 2025 and see if it makes any difference. Personally, though I showed him the option for mobile access via blades (under manage and settings), considering this is the only user with a problem, does not logically sound like its an issue with the MA blade configuration. Regardless, they will test all we discuss and update us.

Andy

Re: Remote Access VPN Authentication Failure

K_montalvo — Thu, 30 Dec 2021 15:46:29 GMT

@the_rock @Timothy_Hall I was able to do T/S today and posibbly identified the issue:

What we are seeing is and error when the Standard Access Policy installation could that be the issue? If so can you guys guide me if theres a command to fix it or steps i shall follow to resolved the issue?

I really appreciate your help!

Thanks!

Re: Remote Access VPN Authentication Failure

Timothy_Hall — Thu, 30 Dec 2021 15:51:45 GMT

Sounds like the ranges specified in the Translated Source field are incorrectly set for static instead of hide. You can right-click in that field and force it to Hide. If this is not the case please post a screenshot of the NAT rules in question.

Re: Remote Access VPN Authentication Failure

the_rock — Thu, 30 Dec 2021 15:57:26 GMT

Hey buddy,

@Timothy_Hall is absolutely right. Sounds like nat method is wrong if thats the message you are seeing. Can you paste actual NAT rule?

Andy

Re: Remote Access VPN Authentication Failure

K_montalvo — Thu, 30 Dec 2021 19:05:11 GMT

Hello,

This was actually the issue with a source network with a /16 translated to a /24 on a couple of NAT rules created a couple years ago. Somehow they started to present the issue recently. The TAC was also very helpful.

Re: Remote Access VPN Authentication Failure

K_montalvo — Thu, 30 Dec 2021 19:07:12 GMT

Hello buddy,

Yeah what @Timothy_Hall posted above was the issue. I know if in the remote session yesterday with you had access to the actual environment you would figure it out. Many thanks as always for your support and friendship!

Re: Remote Access VPN Authentication Failure

the_rock — Thu, 30 Dec 2021 19:09:14 GMT

Any time, no problem at all. @Timothy_Hall is the man, I think he knows everything CP related, so always amazing resource.

HAPPY NEW YEAR!