topic Re: What would cause different re-auth times? in SASE and Remote Access

What would cause different re-auth times?

VikingsFan — Fri, 06 Sep 2024 00:40:23 GMT

We've been doing some work on our VPN configs and noticed recently that the re-auth times can randomly be 8 hours while the Global Settings are set to 20 hours. We have been playing with upgrading to the latest versions and also changing the trac file on the gateways to use DNS for connections instead of IP every time. Is there a known bug that would cause this?

We do have the SecureClient Mobile set to 480 minutes (8 hours) but these are all Endpoint Security VPN clients.

See screenshot... this is the same user and login but starting on 8/30 you'll start seeing random 8 hour re-auth settings. Appreciate any help!

Re: What would cause different re-auth times?

AkosBakos — Fri, 06 Sep 2024 11:10:12 GMT

Hi @VikingsFan

What is came into my mint is the trac_client_1.ttm file

                :neo_user_re_auth_timeout (
                        :gateway (endpoint_vpn_user_re_auth_timeout
                                :default (client_decide)

I will check it, if the support.checkpoint.com will work again.

Akos

Re: What would cause different re-auth times?

VikingsFan — Fri, 06 Sep 2024 11:15:30 GMT

Actually poking around in that file right now. It's currently set to client_decide on both old and new cluster. The only changes we made were following this SK: https://support.checkpoint.com/results/sk/sk75221 and also testing different Endpoint Connect versions... E88.50 and E88.60.

That got me thinking though where the 'client_decide' information is stored and found that it's locally on the client under the trac.defaults file. Going to see if our pre-packaged file from earlier has different settings in there. Thanks!

Re: What would cause different re-auth times?

AkosBakos — Fri, 06 Sep 2024 11:19:14 GMT

Hi @VikingsFan

Good to hear that, if you find the exact sulotion, please share with us.

And compare the trac file on both GW-s, maybe there are different (and cluster members too)

Akos

Re: What would cause different re-auth times?

VikingsFan — Fri, 06 Sep 2024 12:02:14 GMT

The trac.defaults file was a dead-end... I loaded previous versions of our installer and did not see any difference in them that would explain a re-auth change. The trac file on the GWs between clusters are also similar and the only change on the old gateway was the DNS update linked above. So back to the beginning.

Only real change is we're using different client versions... will keep digging.

Re: What would cause different re-auth times?

the_rock — Sat, 07 Sep 2024 00:23:39 GMT

I could be mistaken when I say this, but IM fairly sure global properties re-auth setting would override any other setting you configure for this.

Can you send screenshot of how you have this in global properties?

Andy

Re: What would cause different re-auth times?

VikingsFan — Sat, 07 Sep 2024 00:30:23 GMT

Sure. I've also opened a TAC case through our partner and will update my post if we find out anything.

Re: What would cause different re-auth times?

the_rock — Sat, 07 Sep 2024 00:36:21 GMT

K, sounds good, let us know. I have couple of labs going, R81.20 and R82, never had this issue. When connected, it always asks me to re-authenticate at 23h55 mins, which is expected, as mine is set to 24 hours re-auth in global properties.

Let us know what TAC says. Maybe, just as a quick test, if you can have one of those users with the issue delete/re-create the site and try, see if that makes any difference. Not sure it will, but worth a shot.

Andy

Re: What would cause different re-auth times?

VikingsFan — Sat, 07 Sep 2024 01:10:41 GMT

I was poking around the client logs and was looking into the trac.log file and found these lines. Could the local settings be overriding the gateway? In our GWs trac_client_1.ttm file we have neo_user_re_auth_timeout set to default (client_decide). It's been this way forever but only when we started messing with upgrade clients and add/remove sites the 8 hour limit started popping up.

I'll update next week after talking to TAC unless you're familiar with this setting.

Line 43922: [ 7396 8900][6 Sep 11:28:14][CONFIG_MANAGER] neo_user_re_auth_timeout return value 1200, because it is Gateway config variable. Scope: site COMP-Primary (2FA) ,gw NULL ,user USER Line 44079: [ 7396 8900][6 Sep 11:28:14][CONFIG_MANAGER] neo_user_re_auth_timeout return value 480, because it is Default variable. Scope: site COMP-Primary (Certificate), gw NULL ,user USER Line 44236: [ 7396 8900][6 Sep 11:28:14][CONFIG_MANAGER] neo_user_re_auth_timeout return value 1200, because it is Gateway config variable. Scope: site COMP-Secondary (2FA) ,gw NULL ,user USER Line 44392: [ 7396 8900][6 Sep 11:28:14][CONFIG_MANAGER] neo_user_re_auth_timeout return value 480, because it is Default variable. Scope: site COMP-VPN (Certificate), gw NULL ,user USER Line 44550: [ 7396 8900][6 Sep 11:28:14][CONFIG_MANAGER] neo_user_re_auth_timeout return value 480, because it is Default variable. Scope: site COMP-Secondary (Certificate), gw NULL ,user USER Line 44707: [ 7396 8900][6 Sep 11:28:14][CONFIG_MANAGER] neo_user_re_auth_timeout return value 480, because it is Default variable. Scope: site COMP-VPN (2FA), gw NULL ,user USER Line 44872: [ 7396 8900][6 Sep 11:28:15][CONFIG_MANAGER] neo_user_re_auth_timeout return value 1200, because it is Gateway config variable. Scope: site COMP-Primary (2FA) ,gw NULL ,user USER Line 45029: [ 7396 8900][6 Sep 11:28:15][CONFIG_MANAGER] neo_user_re_auth_timeout return value 480, because it is Default variable. Scope: site COMP-Primary (Certificate), gw NULL ,user USER Line 45186: [ 7396 8900][6 Sep 11:28:15][CONFIG_MANAGER] neo_user_re_auth_timeout return value 1200, because it is Gateway config variable. Scope: site COMP-Secondary (2FA) ,gw NULL ,user USER Line 45342: [ 7396 8900][6 Sep 11:28:15][CONFIG_MANAGER] neo_user_re_auth_timeout return value 480, because it is Default variable. Scope: site COMP-VPN (Certificate), gw NULL ,user USER Line 45499: [ 7396 8900][6 Sep 11:28:15][CONFIG_MANAGER] neo_user_re_auth_timeout return value 480, because it is Default variable. Scope: site COMP-Secondary (Certificate), gw NULL ,user USER Line 45656: [ 7396 8900][6 Sep 11:28:15][CONFIG_MANAGER] neo_user_re_auth_timeout return value 480, because it is Default variable. Scope: site COMP-VPN (2FA), gw NULL ,user USER Line 45814: [ 7396 8900][6 Sep 11:28:15][CONFIG_MANAGER] neo_user_re_auth_timeout return value 1200, because it is Gateway config variable. Scope: site COMP-Primary (2FA) ,gw NULL ,user USER Line 45971: [ 7396 8900][6 Sep 11:28:15][CONFIG_MANAGER] neo_user_re_auth_timeout return value 480, because it is Default variable. Scope: site COMP-Primary (Certificate), gw NULL ,user USER Line 46128: [ 7396 8900][6 Sep 11:28:15][CONFIG_MANAGER] neo_user_re_auth_timeout return value 1200, because it is Gateway config variable. Scope: site COMP-Secondary (2FA) ,gw NULL ,user USER Line 46284: [ 7396 8900][6 Sep 11:28:15][CONFIG_MANAGER] neo_user_re_auth_timeout return value 480, because it is Default variable. Scope: site COMP-VPN (Certificate), gw NULL ,user USER Line 46441: [ 7396 8900][6 Sep 11:28:15][CONFIG_MANAGER] neo_user_re_auth_timeout return value 480, because it is Default variable. Scope: site COMP-Secondary (Certificate), gw NULL ,user USER

Re: What would cause different re-auth times?

the_rock — Sat, 07 Sep 2024 01:44:01 GMT

Here is what I would try, BUT, please back up the fw and that file. Maybe replace ttm file on gw with default one and push policy, test. Or send me the file and I can compare it to one from my working gw Sunday. R81.20 version?

Andy

Re: What would cause different re-auth times?

the_rock — Sat, 07 Sep 2024 02:18:16 GMT

Here is something you could try, just backup current ttm file and them modify as below, install policy.

Andy

:neo_user_re_auth_timeout (
:gateway (endpoint_vpn_user_re_auth_timeout
:default (1200)

Re: What would cause different re-auth times?

VikingsFan — Sat, 07 Sep 2024 11:32:12 GMT

I was thinking the same thing... will give it a try. The "neo_user" is what was throwing me off as not being applicable... is that the old name of the VPN software? NEO? Will report back Monday if the change helped and also if TAC says anything.

Re: What would cause different re-auth times?

the_rock — Sat, 07 Sep 2024 11:41:38 GMT

Man, I have no idea LOL. The only abbreviation I know for NEO is named executive officer, haha.

Anywho, I guess in this instance it could be new? No clue : - )

Let us know if that fixes it, fingers crossed.

Andy

Re: What would cause different re-auth times?

VikingsFan — Sat, 07 Sep 2024 11:57:07 GMT

Thanks again. What I don't like is how random it is. I just connected four times with my regular MFA type and four times with my certificate and seven times I got the 1200 minutes and one time I got the 480. Strange. Anyways, it's the weekend! Will make the change and report back Monday. 🙂

Re: What would cause different re-auth times?

the_rock — Sat, 07 Sep 2024 12:05:20 GMT

Thats gotta be annoying, I hear ya. One thing you can do is make that change on ttm mgmt file, BUT, then it would apply to ALL gateways, just "throwing" that out there.

Andy

Re: What would cause different re-auth times?

the_rock — Sat, 07 Sep 2024 12:14:03 GMT

Forgot to say, dont forget to install policy after making the change in ttm file.

Re: What would cause different re-auth times?

the_rock — Sun, 08 Sep 2024 19:02:19 GMT

Hey mate,

Happy to do remote if need be, Im sure we can figure it out together, let me know.

Cheers,

Andy