topic Re: "A secondary session request was received from the same IP" from a Terminal Servers Id in Firewall and Security Management

"A secondary session request was received from the same IP" from a Terminal Servers Identity Agent

ClaudiaPeter — Fri, 12 Jul 2024 09:52:47 GMT

Hi,

we use the IA collector and Terminal Servers Identity Agents. Recently we see problems with "A secondary session request was received from the same IP" from Citrix TS servers and as Indentity Source "Terminal Servers Identity Agent" (see attachted screenshot). I know this error logs for identities from the IA collector, but the exculsion for the TS network within the IA collector seems to work, no logs for this network with Identity Source "Identity Collector (Active Directory)". And no other error logs of the blade Identity Awareness.
I don't know since when the error occurs, it's sporadic and already in the oldest available logs. But now we have problems with several firewall rules that don't match because the identity is "lost".

I'm still trying to verify if there is always another session on the problematic TS without any log of the IA. In the last case there was one, but without any obvious difference to the other TS sessions (it's a Citrix farm).

We see it on both gateways with terminal server agent connections.
It comes from several TS instances, mostly only one at the same time, it stops and some hours later from another TS.
It occurs on two gateways, from two Citrix farms, it might be a general problem.

Did anybody see the secondary login error from a MUH agent?

Gateways: R81.10 Take 150; R81.20 Take 65 (recently updated to R81.20, no change of the error)
TS Agent: R81.070.0000
Number of sessions per TS: 3 - 5
TS: Win 2019
Number of connected Terminal Servers Identity Agents on the R81.20 gateway: ~35

Best regards
Claudia

Re: "A secondary session request was received from the same IP" from a Terminal Servers Id

PhoneBoy — Fri, 12 Jul 2024 13:54:07 GMT

Did you check: https://support.checkpoint.com/results/sk/sk131792

Re: "A secondary session request was received from the same IP" from a Terminal Servers Id

ClaudiaPeter — Fri, 12 Jul 2024 14:00:46 GMT

Yes, but this network is in the network exclusion filter of the Identity Collector (and there is no log in logged for the Identity Collector for this IP address), and we don't use AD query.

Re: "A secondary session request was received from the same IP" from a Terminal Servers Id

PhoneBoy — Fri, 12 Jul 2024 19:04:48 GMT

This is relevant for all methods except ADQuery, actually.
Your best bet is probably a TAC case: https://help.checkpoint.com

Re: "A secondary session request was received from the same IP" from a Terminal Servers Id

ClaudiaPeter — Wed, 24 Jul 2024 14:13:44 GMT

Hi,

I did some additional debugging to get more error details before opening a TAC case, and found that just one user causes this error, but this user has no log entry in SmartConsole (a ghost it's rather hard to find). The login/logout timestamps and hostname of the TS from Citrix match the begin and end of the error logs on Check Point side at several days.

I checked the ia_client.log on the TS and there is a eye-cathing difference to the other users: the problematic users seems to have 140 group SIDs, all other users have significantly less group SIDs.The logs for this users ends up with

[ 3548 5552]@hostname[24 Jul 14:35:28] [PDP Connection Manager (TD::Events)] NAC::CLIENT::PDPCOMM::PDPConnectionManager::sendRequest: callerHandleFailure 0 from type SubSession
[ 3548 5552]@hostname[24 Jul 14:35:28] [PDP Connection Manager (TD::Events)] NAC::CLIENT::PDPCOMM::PDPConnectionManager::sendRequest: not sending request since there is a queue. waiting for previous calls to wait
[ 3548 5552]@hostname[24 Jul 14:35:28] [MUH2UserManager (NAC::IS::TD::Events)] NAC::CLIENT::MANAGER::MUH2UserManager::User::addWindowsSessionID: Adding windows session 4 for user: xyz\xyz
[ 3548 5552]@hostname[24 Jul 14:35:28] [MUH2UserManager (NAC::IS::TD::Events)] NAC::CLIENT::MANAGER::MUH2UserManager::addCurrentlyLoggedInUsers: session id: 0, username: , logon domain: (connect state: 6)
[ 3548 5552]@hostname[24 Jul 14:35:28] [MUH2UserManager (NAC::IS::TD::Events)] NAC::CLIENT::MANAGER::MUH2UserManager::addCurrentlyLoggedInUsers: Failed to obtain session's handle
[ 3548 5552]@hostname[24 Jul 14:35:28] [MUH2UserManager (NAC::IS::TD::Events)] NAC::CLIENT::MANAGER::MUH2UserManager::addCurrentlyLoggedInUsers: session id: 0, username: , logon domain: (connect state: 6)
[ 3548 5552]@hostname[24 Jul 14:35:28] [MUH2UserManager (NAC::IS::TD::Events)] NAC::CLIENT::MANAGER::MUH2UserManager::addCurrentlyLoggedInUsers: Failed to obtain session's handle
[ 3548 5552]@hostname[24 Jul 14:35:28] [MUH2UserManager (NAC::IS::TD::Events)] NAC::CLIENT::MANAGER::MUH2UserManager::addCurrentlyLoggedInUsers: session id: 0, username: , logon domain: (connect state: 6)
[ 3548 5552]@hostname[24 Jul 14:35:28] [MUH2UserManager (NAC::IS::TD::Events)] NAC::CLIENT::MANAGER::MUH2UserManager::addCurrentlyLoggedInUsers: Failed to obtain session's handle
[ 3548 5552]@hostname[24 Jul 14:35:28] [MUH2UserManager (NAC::IS::TD::Events)] NAC::CLIENT::MANAGER::MUH2UserManager::MUH2UserManager: Succeeded loading MUH driver service library
[ 3548 5552]@hostname[24 Jul 14:35:28] [AuthenticationManager (NAC::IS::TD::Events)] NAC::CLIENT::AUTH::AuthenticationManager::finishedLastAuthentication: scheduling re-authentication in 180000 ms for group MachineAuthMethods
[ 3548 5552]@hostname[24 Jul 14:35:28] [PDP Connection Manager (TD::Events)] NAC::CLIENT::PDPCOMM::PDPConnectionManager::Notify: firing connection notifiction trigger finished
[ 3548 5552]@hostname[24 Jul 14:35:28] [PDP Connection Manager (TD::Events)] NAC::CLIENT::PDPCOMM::PDPConnectionManager::eraseFromRequestNotificationMap: deleting request 2 connection notification

I cannot find a documented limit for the Terminal Server Identity Agent for group memberships. Are 140 groups really too many?

Best regards
Claudia

Re: "A secondary session request was received from the same IP" from a Terminal Servers Id

PhoneBoy — Wed, 24 Jul 2024 15:27:06 GMT

It could very well be that you've run into some sort of limit.
Definitely open a TAC case if you haven't already.